In-Toto · Schema
in-toto Attestation Statement
Schema for the in-toto Attestation Framework Statement structure. A Statement is a verifiable claim about one or more software subjects. It consists of a fixed lightweight envelope with a subject (the artifact being described) and a predicate (the claim about that subject). Common predicate types include SLSA Provenance, SPDX SBOM, and Vulnerability Scan results.
Cloud NativeGraduatedSecuritySoftware IntegritySupply Chain SecurityVerification
Properties
| Name | Type | Description |
|---|---|---|
| _type | string | URI identifying this document as an in-toto Attestation Framework Statement v1. |
| subject | array | One or more software artifacts that this statement applies to. Each subject is identified by name and cryptographic digest. |
| predicateType | string | URI that identifies the schema and semantics of the predicate. Well-known values include https://slsa.dev/provenance/v1 and https://spdx.dev/Document. |
| predicate | object | The claim about the subjects. The structure is defined by the predicateType URI. May describe provenance, vulnerability scan results, test results, code review, or any other supply chain assertion. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://in-toto.io/schemas/v1/attestation.json",
"title": "in-toto Attestation Statement",
"description": "Schema for the in-toto Attestation Framework Statement structure. A Statement is a verifiable claim about one or more software subjects. It consists of a fixed lightweight envelope with a subject (the artifact being described) and a predicate (the claim about that subject). Common predicate types include SLSA Provenance, SPDX SBOM, and Vulnerability Scan results.",
"type": "object",
"required": ["_type", "subject", "predicateType", "predicate"],
"properties": {
"_type": {
"type": "string",
"const": "https://in-toto.io/Statement/v1",
"description": "URI identifying this document as an in-toto Attestation Framework Statement v1."
},
"subject": {
"type": "array",
"description": "One or more software artifacts that this statement applies to. Each subject is identified by name and cryptographic digest.",
"minItems": 1,
"items": {
"$ref": "#/$defs/Subject"
}
},
"predicateType": {
"type": "string",
"format": "uri",
"description": "URI that identifies the schema and semantics of the predicate. Well-known values include https://slsa.dev/provenance/v1 and https://spdx.dev/Document."
},
"predicate": {
"type": "object",
"description": "The claim about the subjects. The structure is defined by the predicateType URI. May describe provenance, vulnerability scan results, test results, code review, or any other supply chain assertion.",
"additionalProperties": true
}
},
"$defs": {
"Subject": {
"type": "object",
"description": "A single software artifact that is the subject of this attestation, identified by name and one or more cryptographic digests.",
"required": ["name", "digest"],
"properties": {
"name": {
"type": "string",
"description": "Human-readable name for the artifact. For files, this is typically a path or filename. For container images, this is typically an image reference without a digest."
},
"digest": {
"$ref": "#/$defs/DigestSet"
}
}
},
"DigestSet": {
"type": "object",
"description": "A set of cryptographic digests for an artifact, keyed by hash algorithm name. At least one digest must be present.",
"minProperties": 1,
"properties": {
"sha256": {
"type": "string",
"pattern": "^[a-fA-F0-9]{64}$",
"description": "SHA-256 hex digest."
},
"sha512": {
"type": "string",
"pattern": "^[a-fA-F0-9]{128}$",
"description": "SHA-512 hex digest."
},
"sha1": {
"type": "string",
"pattern": "^[a-fA-F0-9]{40}$",
"description": "SHA-1 hex digest. Use is discouraged for new attestations."
},
"gitCommit": {
"type": "string",
"pattern": "^[a-fA-F0-9]{40}$",
"description": "Full Git commit SHA-1 hash identifying a specific commit."
}
},
"additionalProperties": {
"type": "string",
"description": "Digest value for an alternate algorithm."
}
},
"SLSAProvenancePredicate": {
"type": "object",
"description": "SLSA Provenance predicate (v1) describing how an artifact was built. Used with predicateType https://slsa.dev/provenance/v1.",
"required": ["buildDefinition", "runDetails"],
"properties": {
"buildDefinition": {
"type": "object",
"description": "Describes the inputs to the build: the build type, external parameters, and resolved dependencies.",
"required": ["buildType", "externalParameters"],
"properties": {
"buildType": {
"type": "string",
"format": "uri",
"description": "URI identifying the build system type and the schema for externalParameters."
},
"externalParameters": {
"type": "object",
"description": "The parameters that were supplied by the caller of the build system. Structure depends on the buildType.",
"additionalProperties": true
},
"internalParameters": {
"type": "object",
"description": "Parameters set by the build system itself, not controllable by the caller.",
"additionalProperties": true
},
"resolvedDependencies": {
"type": "array",
"description": "External artifacts that influenced the build and are not explicitly listed in externalParameters.",
"items": {
"$ref": "#/$defs/ResourceDescriptor"
}
}
}
},
"runDetails": {
"type": "object",
"description": "Details specific to this particular execution of the build.",
"required": ["builder"],
"properties": {
"builder": {
"type": "object",
"description": "The build system that produced this attestation.",
"required": ["id"],
"properties": {
"id": {
"type": "string",
"format": "uri",
"description": "URI identifying the builder."
},
"version": {
"type": "object",
"description": "Version information for components of the builder.",
"additionalProperties": {
"type": "string"
}
},
"builderDependencies": {
"type": "array",
"description": "Artifacts that the builder used that are not part of the build definition.",
"items": {
"$ref": "#/$defs/ResourceDescriptor"
}
}
}
},
"metadata": {
"type": "object",
"description": "Metadata about this build run.",
"properties": {
"invocationId": {
"type": "string",
"description": "Unique identifier for this build invocation."
},
"startedOn": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the build started."
},
"finishedOn": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the build finished."
}
}
},
"byproducts": {
"type": "array",
"description": "Additional artifacts produced by the build that are not the primary output.",
"items": {
"$ref": "#/$defs/ResourceDescriptor"
}
}
}
}
}
},
"ResourceDescriptor": {
"type": "object",
"description": "A reference to a software artifact used as input to or produced by a build. Includes a URI and optional digest and annotations.",
"properties": {
"uri": {
"type": "string",
"format": "uri",
"description": "URI identifying the resource."
},
"digest": {
"$ref": "#/$defs/DigestSet"
},
"name": {
"type": "string",
"description": "Semver or local name used to reference this resource within the build definition."
},
"downloadLocation": {
"type": "string",
"format": "uri",
"description": "URI where this resource can be downloaded."
},
"mediaType": {
"type": "string",
"description": "MIME type of the resource."
},
"annotations": {
"type": "object",
"description": "Additional key-value metadata about the resource.",
"additionalProperties": true
}
}
}
}
}