docs: expand ci and dsse guidance

Author: haasonsaas

README.md

@@ -187,6 +187,7 @@ The same process works against forks or sandboxes—helpful when validating new
 - The workflow helper collects the PR diff (`base_sha..head_sha`), submits it to `/v1/analysis`, polls `/v1/analysis/{id}`, and prints the enriched decision payload so reviewers can inspect risk summaries inline.
 - Consume `/v1/analysis/{id}/sarif` when you need static-analysis interoperability (e.g., uploading to GitHub code scanning or aggregating findings in other dashboards).
 - Surface decision bundles in CI by hitting `/v1/analysis/{id}/bundle` (e.g., attach the DSSE envelope as a build artifact) to preserve signed provenance for downstream policy checks.
+- See [docs/ci-integration.md](docs/ci-integration.md) for a comprehensive workflow guide, SARIF upload recipe, artifact archiving, and non-GitHub CI examples.
 
 ## Telemetry Export
 
@@ -218,6 +219,12 @@ The same process works against forks or sandboxes—helpful when validating new
 - A lightweight synchronous client lives in `clients/python`; use `ProvenanceClient` for basic ingestion/status/analytics calls.
 - Async support is available via `AsyncProvenanceClient`. Install the client SDK with `pip install provenance[client]` and import from `clients.python`.
 
+## Additional Documentation
+
+- [CI Integration Guide](docs/ci-integration.md) – Configure GitHub Actions, upload SARIF, archive decision bundles, and adapt the workflow to other CI systems.
+- [SARIF Reporting](docs/sarif.md) – Understand the SARIF 2.1.0 output, severity mapping, and customization hooks.
+- [DSSE Decision Bundles](docs/decision-bundles.md) – Inspect the envelope schema, verify signatures, and integrate with transparency logs.
+
 ## Data Persistence Model
 
 - **Analyses** – Stored as JSON blobs keyed by `analysis:{analysis_id}` with a sorted set index for time-window queries.

clients/github-action/run.py

@@ -2,6 +2,7 @@
 
 import argparse
 import json
+import os
 import subprocess
 import time
 from pathlib import Path
@@ -103,6 +104,12 @@ def main() -> None:
     response = submit_analysis(args.api_url, args.api_token, payload)
     analysis_id = response["analysis_id"]
     decision = poll_decision(args.api_url, args.api_token, analysis_id)
+    write_response_path = os.getenv("PROVENANCE_WRITE_RESPONSE_PATH")
+    if write_response_path:
+        out_path = Path(write_response_path)
+        if not out_path.parent.exists():
+            out_path.parent.mkdir(parents=True, exist_ok=True)
+        out_path.write_text(json.dumps(decision, indent=2) + "\n", encoding="utf-8")
     print(json.dumps(decision, indent=2))
     decision_info = decision.get("decision") or {}
     outcome_value = decision_info.get("outcome") or decision.get("status")

docs/ci-integration.md

@@ -0,0 +1,151 @@
+# CI Integration Guide
+
+This guide walks through wiring Provenance into continuous integration systems so every pull request is analyzed, decisions are enforced automatically, and evidence is archived for future audits.
+
+## Prerequisites
+
+- Provenance API endpoint (e.g. `https://provenance.example.com`).
+- API token with permission to create analyses and read decisions.
+- Python 3.12 runtime available to the pipeline (the bundled GitHub Action installs [uv](https://docs.astral.sh/uv/latest/) and reuses this repository's dependency lockfile).
+- Optional: Ed25519 public key published via `PROVENANCE_DECISION_VERIFY_KEY` if your governance service signs DSSE bundles.
+
+## GitHub Actions
+
+We ship a composite action in `clients/github-action/` that:
+
+1. Collects the unified diff between the PR base and head commits.
+2. Submits the diff plus provenance metadata to `/v1/analysis`.
+3. Polls `/v1/analysis/{id}` until the analysis completes.
+4. Prints the structured decision payload for reviewer visibility.
+5. Exits with a non-zero status when the policy outcome is `block`.
+
+### Example Workflow
+
+Save the following as `.github/workflows/provenance.yml` and provide the API configuration through GitHub secrets:
+
+```yaml
+name: Provenance Governance
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Ensure the full history is present for an accurate diff.
+          fetch-depth: 0
+
+      - name: Run Provenance analysis
+        uses: ./clients/github-action
+        with:
+          api_url: ${{ secrets.PROVENANCE_API_URL }}
+          api_token: ${{ secrets.PROVENANCE_API_TOKEN }}
+```
+
+When a decision is `block`, the job fails and the PR is marked red. `allow` and `warn` outcomes complete successfully; governance context is still attached to the run log for reviewer triage.
+
+### Exposing SARIF Findings in GitHub
+
+The analysis API now exposes a SARIF 2.1.0 representation of each run. Add a follow-up step to fetch the SARIF payload and upload it to the GitHub code scanning UI:
+
+```yaml
+      - name: Download SARIF report
+        if: success() || failure()
+        run: |
+          set -euo pipefail
+          ANALYSIS_ID=$(jq -r '.analysis_id' provenance.json)
+          curl -sSf -H "Authorization: Bearer ${{ secrets.PROVENANCE_API_TOKEN }}" \
+            "$${{ secrets.PROVENANCE_API_URL }}/v1/analysis/${ANALYSIS_ID}/sarif" \
+            -o provenance.sarif
+
+      - name: Upload SARIF to GitHub
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: provenance.sarif
+```
+
+To make the SARIF payload available, update the action invocation to persist the API response JSON:
+
+```yaml
+      - name: Run Provenance analysis
+        uses: ./clients/github-action
+        with:
+          api_url: ${{ secrets.PROVENANCE_API_URL }}
+          api_token: ${{ secrets.PROVENANCE_API_TOKEN }}
+        env:
+          PROVENANCE_WRITE_RESPONSE_PATH: provenance.json
+```
+
+The `clients/github-action/run.py` script respects `PROVENANCE_WRITE_RESPONSE_PATH` and mirrors the latest decision payload to disk so downstream steps can reference the analysis identifier without re-polling the API.
+
+### Archiving DSSE Decision Bundles
+
+Signed DSSE envelopes provide tamper-evident evidence for pipeline attestations. Attach the bundle to the workflow artifacts:
+
+```yaml
+      - name: Archive decision bundle
+        if: success() || failure()
+        run: |
+          set -euo pipefail
+          ANALYSIS_ID=$(jq -r '.analysis_id' provenance.json)
+          curl -sSf -H "Authorization: Bearer ${{ secrets.PROVENANCE_API_TOKEN }}" \
+            "$${{ secrets.PROVENANCE_API_URL }}/v1/analysis/${ANALYSIS_ID}/bundle" \
+            -o decision-bundle.json
+
+      - uses: actions/upload-artifact@v4
+        if: success() || failure()
+        with:
+          name: provenance-decision-bundle
+          path: decision-bundle.json
+          retention-days: 30
+```
+
+Auditors can later verify the payload hash and (if configured) Ed25519 signature against the published governance verification key.
+
+## Other CI Systems
+
+The workflow runner is a thin wrapper around four HTTP calls, so porting the integration to other CI providers is straightforward.
+
+1. Generate the diff for the change under review. For example, in Jenkins:
+
+   ```bash
+   git fetch origin "${CHANGE_TARGET}"
+   git diff --unified=0 "origin/${CHANGE_TARGET}...${GIT_COMMIT}" > diff.patch
+   ```
+
+2. Convert the diff to the `changed_lines` payload expected by `/v1/analysis`. You can reuse `clients/github-action/run.py` directly (`python -m clients.github-action.run ...`) or craft JSON with a custom script.
+
+3. Submit the payload:
+
+   ```bash
+   curl -sSf -H "Authorization: Bearer ${PROVENANCE_API_TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d "@payload.json" \
+     "${PROVENANCE_API_URL}/v1/analysis"
+   ```
+
+4. Poll `/v1/analysis/{id}` until `status` is `completed`; enforce `decision.outcome == "block"` to fail the job.
+
+5. Optionally fetch `/v1/analysis/{id}/sarif` and `/v1/analysis/{id}/bundle` to integrate with downstream scanners or evidence stores.
+
+### Containerized Stages
+
+If your CI stages run in disposable containers:
+
+- Install `uv` (or `pip`) to execute `clients/github-action/run.py`.
+- Mount the repository workspace so the diff generator can inspect tracked files.
+- Provide `PROVENANCE_API_URL` and `PROVENANCE_API_TOKEN` via environment variables or secrets injection.
+- Persist the JSON response to disk if later stages depend on the analysis identifier.
+
+## Debugging Tips
+
+- The composite action logs the raw decision payload; review the `risk_summary` and `decision.rationale` fields when a run blocks unexpectedly.
+- Use the `PROVENANCE_TRACE=1` environment variable to enable verbose HTTP logging inside the action script.
+- When testing locally, run `uv run clients/github-action/run.py --help` to see available arguments.
+- Double-check that `fetch-depth: 0` (or an equivalent full clone) is configured; shallow clones omit base commits, leading to empty diffs and analyses that no-op.
+- If polling times out, inspect the Provenance server logs for long-running detectors or governance evaluations; consider extending the `--timeout-s` flag in the CLI.

docs/decision-bundles.md

@@ -0,0 +1,120 @@
+# DSSE Decision Bundles
+
+Provenance emits DSSE-formatted envelopes for every governance evaluation so downstream systems can verify policy outcomes independently. This document explains the payload structure, signing process, and recommended verification steps.
+
+## Envelope Structure
+
+Decision bundles follow the [in-toto DSSE specification](https://github.com/in-toto/ietf-draft), using JSON as the payload type:
+
+```json
+{
+  "payloadType": "application/provenance.decision+json",
+  "payload": "<base64-encoded canonical JSON>",
+  "payloadSha256": "<hex digest of the decoded payload>",
+  "signatures": [
+    {
+      "keyid": "decision-key",
+      "sig": "<base64-encoded Ed25519 signature>"
+    }
+  ]
+}
+```
+
+The decoded payload contains the authoritative decision context:
+
+```json
+{
+  "analysis_id": "an_abcd1234",
+  "repo_id": "acme/shop",
+  "pr_number": "77",
+  "decided_at": "2024-06-07T19:11:42.483920Z",
+  "outcome": "block",
+  "policy_version": "2024-06-01",
+  "rationale": "Critical findings detected.",
+  "risk_summary": {
+    "findings_total": 3,
+    "findings_by_category": {"code_execution": 2, "secrets": 1},
+    "findings_by_severity": {"critical": 1, "high": 2},
+    "coverage": {
+      "total_lines": 22,
+      "attributed_lines": 18,
+      "unknown_line_count": 4,
+      "coverage_percent": 81.82
+    }
+  },
+  "provenance_confidence": {
+    "agent_attribution_percent": 95.0,
+    "cryptographic_attestations": 17
+  },
+  "thresholds": {
+    "warn": {"code_execution": 1},
+    "block": {"secrets": 1}
+  },
+  "detector_capabilities": {
+    "semgrep": {
+      "ruleset": "app/detection_rules/semgrep_rules.yml",
+      "sha256": "..."
+    }
+  },
+  "line_count": 22,
+  "finding_count": 3,
+  "inputs_sha256": "e843a82d88e1416f33804ce96f41d2a57c99b35a2f1b9e1d4fb86a03d38f6c5d"
+}
+```
+
+### Canonicalization
+
+- The payload is serialized with `sort_keys=True` and compact separators `(",", ":")`.
+- `payloadSha256` is computed over the raw UTF-8 bytes of this canonical JSON.
+- Signatures cover the same byte sequence, ensuring tamper detection.
+
+## Retrieving Bundles
+
+- API: `GET /v1/analysis/{id}/bundle` returns the envelope alongside the original analysis identifier.
+- Telemetry: a `decision_bundle` event is published to configured sinks (Redis, ClickHouse, Snowflake, etc.) for streaming ingestion.
+- CI: the GitHub Action recipe in [docs/ci-integration.md](ci-integration.md) demonstrates downloading the bundle and archiving it as an artifact.
+
+## Signature Verification
+
+If `PROVENANCE_DECISION_SIGNING_KEY` is configured on the server, an Ed25519 signature is attached to each bundle. Clients verify signatures with the corresponding public key (`VerifyKey`).
+
+Python example:
+
+```python
+import base64
+import json
+from nacl.signing import VerifyKey
+
+def verify_bundle(envelope: dict, verify_key_b64: str) -> dict:
+    payload_bytes = base64.b64decode(envelope["payload"])
+    expected_sha = envelope["payloadSha256"]
+    actual_sha = __import__("hashlib").sha256(payload_bytes).hexdigest()
+    if actual_sha != expected_sha:
+        raise ValueError("payloadSha256 mismatch")
+
+    signatures = envelope.get("signatures") or []
+    if not signatures:
+        raise ValueError("no signatures present")
+
+    verify_key = VerifyKey(base64.b64decode(verify_key_b64))
+    signature = base64.b64decode(signatures[0]["sig"])
+    verify_key.verify(payload_bytes, signature)
+    return json.loads(payload_bytes)
+```
+
+Validation checklist:
+
+- Compare `analysis_id`, `repo_id`, and `pr_number` against the workflow that fetched the bundle.
+- Inspect `inputs_sha256` to confirm the provenance inputs used by governance match the expected diff metadata.
+- Review `detector_capabilities` to confirm the rule packs and detectors loaded at evaluation time.
+
+## Integrating with Sigstore / Rekor
+
+- Push the envelope to an append-only transparency log to create an auditable trail of governance decisions.
+- Optionally include the DSSE bundle as an annotation on OCI artifacts, release tags, or SBOM documents to tie provenance decisions to shipped assets.
+
+## Troubleshooting
+
+- Empty `signatures`: ensure `PROVENANCE_DECISION_SIGNING_KEY` is set to a base64-encoded Ed25519 private key on the server; restart the service after updating the setting.
+- Hash mismatch: verify that intermediaries are not reformatting the JSON (e.g., pretty-printing the payload before storage). Always store the original envelope untouched.
+- Out-of-sync detector metadata: confirm the analysis ingestion stage persisted detector capability snapshots (`AnalysisService` copies active detector digests into `provenance_inputs.detector_capabilities`).