Skip to content

Commit 079e530

Browse files
Google APIscopybara-github
Google APIs
authored and
copybara-github
committed
feat: Support for Secrets
feat: Support for Layer Details PiperOrigin-RevId: 754105940
1 parent 4c7d649 commit 079e530

5 files changed

Lines changed: 326 additions & 59 deletions

File tree

grafeas/v1/BUILD.bazel

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ proto_library(
3939
"package.proto",
4040
"provenance.proto",
4141
"sbom.proto",
42+
"secret.proto",
4243
"severity.proto",
4344
"slsa_provenance.proto",
4445
"slsa_provenance_zero_two.proto",

grafeas/v1/common.proto

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,8 @@ enum NoteKind {
4949
VULNERABILITY_ASSESSMENT = 11;
5050
// This represents an SBOM Reference.
5151
SBOM_REFERENCE = 12;
52+
// This represents a secret.
53+
SECRET = 13;
5254
}
5355

5456
// Metadata for any related URL information.
@@ -129,6 +131,35 @@ message FileLocation {
129131
// For jars that are contained inside .war files, this filepath
130132
// can indicate the path to war file combined with the path to jar file.
131133
string file_path = 1;
134+
// Each package found in a file should have its own layer metadata (that is,
135+
// information from the origin layer of the package).
136+
LayerDetails layer_details = 2;
137+
}
138+
139+
// BaseImage describes a base image of a container image.
140+
message BaseImage {
141+
// The name of the base image.
142+
string name = 1;
143+
// The repository name in which the base image is from.
144+
string repository = 2;
145+
// The number of layers that the base image is composed of.
146+
int32 layer_count = 3;
147+
}
148+
149+
// Details about the layer a package was found in.
150+
message LayerDetails {
151+
// The index of the layer in the container image.
152+
int32 index = 1;
153+
// The diff ID (typically a sha256 hash) of the layer in the container image.
154+
string diff_id = 2;
155+
// The layer chain ID (sha256 hash) of the layer in the container image.
156+
// https://github.com/opencontainers/image-spec/blob/main/config.md#layer-chainid
157+
string chain_id = 5;
158+
// The layer build command that was used to build the layer. This may not be
159+
// found in all layers depending on how the container image is built.
160+
string command = 3;
161+
// The base images the layer is found within.
162+
repeated BaseImage base_images = 4;
132163
}
133164

134165
// License information.

grafeas/v1/grafeas.proto

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ import "grafeas/v1/dsse_attestation.proto";
3333
import "grafeas/v1/image.proto";
3434
import "grafeas/v1/package.proto";
3535
import "grafeas/v1/sbom.proto";
36+
import "grafeas/v1/secret.proto";
3637
import "grafeas/v1/upgrade.proto";
3738
import "grafeas/v1/vex.proto";
3839
import "grafeas/v1/vulnerability.proto";
@@ -296,6 +297,8 @@ message Occurrence {
296297
grafeas.v1.DSSEAttestationOccurrence dsse_attestation = 17;
297298
// Describes a specific SBOM reference occurrences.
298299
grafeas.v1.SBOMReferenceOccurrence sbom_reference = 19;
300+
// Describes a secret.
301+
grafeas.v1.SecretOccurrence secret = 20;
299302
}
300303

301304
// https://github.com/secure-systems-lab/dsse
@@ -366,6 +369,8 @@ message Note {
366369
grafeas.v1.VulnerabilityAssessmentNote vulnerability_assessment = 20;
367370
// A note describing an SBOM reference.
368371
grafeas.v1.SBOMReferenceNote sbom_reference = 21;
372+
// A note describing a secret.
373+
grafeas.v1.SecretNote secret = 22;
369374
}
370375
}
371376

grafeas/v1/secret.proto

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
// Copyright 2025 The Grafeas Authors. All rights reserved.
2+
//
3+
// Licensed under the Apache License, Version 2.0 (the "License");
4+
// you may not use this file except in compliance with the License.
5+
// You may obtain a copy of the License at
6+
//
7+
// http://www.apache.org/licenses/LICENSE-2.0
8+
//
9+
// Unless required by applicable law or agreed to in writing, software
10+
// distributed under the License is distributed on an "AS IS" BASIS,
11+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12+
// See the License for the specific language governing permissions and
13+
// limitations under the License.
14+
15+
syntax = "proto3";
16+
17+
package grafeas.v1;
18+
19+
import "google/api/field_behavior.proto";
20+
import "google/protobuf/timestamp.proto";
21+
import "grafeas/v1/common.proto";
22+
23+
option go_package = "google.golang.org/genproto/googleapis/grafeas/v1;grafeas";
24+
option java_multiple_files = true;
25+
option java_package = "io.grafeas.v1";
26+
option objc_class_prefix = "GRA";
27+
28+
// The note representing a secret.
29+
message SecretNote {}
30+
31+
// The occurrence provides details of a secret.
32+
message SecretOccurrence {
33+
// Type of secret.
34+
SecretKind kind = 1 [(google.api.field_behavior) = REQUIRED];
35+
36+
// Locations where the secret is detected.
37+
repeated SecretLocation locations = 2
38+
[(google.api.field_behavior) = OPTIONAL];
39+
40+
// Status of the secret.
41+
repeated SecretStatus statuses = 3 [(google.api.field_behavior) = OPTIONAL];
42+
}
43+
44+
// The location of the secret.
45+
message SecretLocation {
46+
// The detailed location of the secret.
47+
oneof location {
48+
// The secret is found from a file.
49+
FileLocation file_location = 1;
50+
}
51+
}
52+
53+
// The status of the secret with a timestamp.
54+
message SecretStatus {
55+
// The status of the secret.
56+
enum Status {
57+
// Unspecified
58+
STATUS_UNSPECIFIED = 0;
59+
60+
// The status of the secret is unknown.
61+
UNKNOWN = 1;
62+
63+
// The secret is valid.
64+
VALID = 2;
65+
66+
// The secret is invalid.
67+
INVALID = 3;
68+
}
69+
70+
// The status of the secret.
71+
Status status = 1 [(google.api.field_behavior) = OPTIONAL];
72+
73+
// The time the secret status was last updated.
74+
google.protobuf.Timestamp update_time = 2
75+
[(google.api.field_behavior) = OPTIONAL];
76+
77+
// Optional message about the status code.
78+
string message = 3 [(google.api.field_behavior) = OPTIONAL];
79+
}
80+
81+
// Kind of secret.
82+
enum SecretKind {
83+
// Unspecified
84+
SECRET_KIND_UNSPECIFIED = 0;
85+
// The secret kind is unknown.
86+
SECRET_KIND_UNKNOWN = 1;
87+
// A GCP service account key per:
88+
// https://cloud.google.com/iam/docs/creating-managing-service-account-keys
89+
SECRET_KIND_GCP_SERVICE_ACCOUNT_KEY = 2;
90+
}

0 commit comments

Comments
 (0)