Skip to content

feat: implement VSA retrieval from Rekor using image digests #2650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
joejstuart merged 1 commit into from
Aug 7, 2025
Merged

feat: implement VSA retrieval from Rekor using image digests #2650

joejstuart merged 1 commit into from
Aug 7, 2025

Conversation

@joejstuart
Copy link
Contributor

@joejstuart joejstuart commented Jul 22, 2025

Adds core functionality to retrieve VSA (Vulnerability and Security Assessment) records from Rekor using image digests. This is Phase 1 of the VSA retrieval feature, providing the low-level capability needed before higher-level logic can be built.

Key changes:

  • Add VSARetriever interface for retrieving VSA records from Rekor
  • Implement RekorVSARetriever with comprehensive error handling using fmt.Errorf
  • Add RetrievalOptions struct for configuring VSA retrieval behavior
  • Create VSARecord struct to represent retrieved VSA records
  • Implement image digest validation (sha256, sha512)
  • Add base64 decoding for attestation data search
  • Include comprehensive unit tests covering all acceptance criteria:
    • Single VSA record found
    • Multiple VSA records found
    • No records found
    • Empty/invalid image digest handling
    • Rekor unreachable scenarios
    • Error propagation

https://issues.redhat.com/browse/EC-1277

AI-assisted implementation by Claude Sonnet 4.

st3penta
st3penta reviewed Jul 23, 2025
View reviewed changes
@joejstuart joejstuart marked this pull request as draft July 23, 2025 12:54
@joejstuart joejstuart marked this pull request as ready for review July 23, 2025 17:29
st3penta
st3penta reviewed Aug 5, 2025
View reviewed changes
@joejstuart
feat: implement VSA retrieval from Rekor using image digests
2172f2b 
Adds core functionality to retrieve VSA (Vulnerability and Security Assessment)
records from Rekor using image digests. This is Phase 1 of the VSA retrieval
feature, providing the low-level capability needed before higher-level logic
can be built.

Key changes:
- Add VSARetriever interface for retrieving VSA records from Rekor
- Implement RekorVSARetriever with comprehensive error handling using fmt.Errorf
- Add RetrievalOptions struct for configuring VSA retrieval behavior
- Create VSARecord struct to represent retrieved VSA records
- Implement image digest validation (sha256, sha512)
- Add base64 decoding for attestation data search
- Include comprehensive unit tests covering all acceptance criteria:
  * Single VSA record found
  * Multiple VSA records found
  * No records found
  * Empty/invalid image digest handling
  * Rekor unreachable scenarios
  * Error propagation

https://issues.redhat.com/browse/EC-1277

AI-assisted implementation by Claude Sonnet 4.
@codecov
Copy link

codecov bot commented Aug 6, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 59.15493% with 87 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/validate/vsa/rekor_retriever.go 58.37% 87 Missing ⚠️
Flag Coverage Δ
generative ?
integration 66.64% <59.15%> (-2.10%) ⬇️
unit ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/validate/vsa/retrieval.go 100.00% <100.00%> (ø)
internal/validate/vsa/rekor_retriever.go 58.37% <58.37%> (ø)

... and 24 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@joejstuart joejstuart merged commit 65f5226 into conforma:main Aug 7, 2025
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@st3penta st3penta st3penta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joejstuart @st3penta