Skip to content

attestations.md

Latest commit

 

History

History
192 lines (155 loc) · 6.03 KB

attestations.md

File metadata and controls

192 lines (155 loc) · 6.03 KB

Dockyard Container Attestations

This document describes the attestations attached to Dockyard container images for supply chain security.

Overview

Every container image published to ghcr.io/stacklok/dockyard includes multiple attestations:

Type Predicate Type Description
SBOM SPDX Software Bill of Materials (via Docker buildx)
Build Provenance SLSA Build provenance attestation (via Docker buildx)
MCP Security Scan SCAI v0.3 Cisco AI Defense mcp-scanner results
Signature Sigstore Keyless OIDC signature via Cosign

MCP Security Scan Attestation (SCAI)

The MCP security scan attestation uses the SCAI (Software Supply Chain Attribute Integrity) predicate type, an official in-toto attestation format.

Predicate Type

https://in-toto.io/attestation/scai/v0.3

Schema

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [{
    "name": "ghcr.io/stacklok/dockyard/npx/context7",
    "digest": { "sha256": "..." }
  }],
  "predicateType": "https://in-toto.io/attestation/scai/v0.3",
  "predicate": {
    "attributes": [{
      "attribute": "MCP_SECURITY_SCAN_PASSED",
      "conditions": {
        "scanner": "cisco-ai-mcp-scanner",
        "scannerVersion": "4.1.0",
        "scannerUri": "https://github.com/cisco-ai-defense/mcp-scanner",
        "analyzers": ["yara"],
        "toolsScanned": 5,
        "blockingIssues": 0,
        "allowedIssues": 1,
        "scanDate": "2026-01-19T12:00:00Z",
        "configFile": "npx/context7/spec.yaml",
        "sourceRepository": "https://github.com/upstash/context7"
      },
      "evidence": {
        "name": "scan-summary.json",
        "digest": { "sha256": "..." },
        "uri": "https://github.com/stacklok/dockyard/actions/runs/...",
        "mediaType": "application/json"
      }
    }],
    "producer": {
      "uri": "https://github.com/stacklok/dockyard",
      "name": "dockyard-ci",
      "digest": { "gitCommit": "..." }
    }
  }
}

Attributes

Attribute Description
MCP_SECURITY_SCAN_PASSED Scan completed with no blocking security issues
MCP_SECURITY_SCAN_WARNING Scan completed with warnings (insecure_ignore enabled)
MCP_SECURITY_SCAN_FAILED Scan found blocking security issues

Conditions

Field Type Description
scanner string Scanner tool identifier (cisco-ai-mcp-scanner)
scannerVersion string Version of the scanner (e.g., 4.1.0)
scannerUri string URI to the scanner source repository
analyzers array List of analyzers used (yara, llm)
toolsScanned number Number of MCP tools scanned
blockingIssues number Count of blocking security issues
allowedIssues number Count of allowed (non-blocking) issues
scanDate string ISO 8601 timestamp of scan
configFile string Path to the spec.yaml configuration
sourceRepository string Source repository of the MCP server (from spec.yaml provenance)

Evidence

The evidence field links to the full scan results artifact:

  • name: Artifact filename (scan-summary.json)
  • digest.sha256: SHA256 hash of the scan summary for integrity verification
  • uri: Link to the GitHub Actions run where scan was performed
  • mediaType: Content type (application/json)

Verification

Verify Image Signature

cosign verify ghcr.io/stacklok/dockyard/npx/context7:latest

Verify MCP Security Scan Attestation

cosign verify-attestation \
  --type https://in-toto.io/attestation/scai/v0.3 \
  ghcr.io/stacklok/dockyard/npx/context7:latest

Download and Inspect Attestation

# Download all attestations
cosign download attestation ghcr.io/stacklok/dockyard/npx/context7:latest

# Decode and pretty-print SCAI attestation
cosign download attestation ghcr.io/stacklok/dockyard/npx/context7:latest | \
  jq -r 'select(.payloadType == "application/vnd.in-toto+json") | .payload | @base64d | fromjson'

View SBOM

docker buildx imagetools inspect \
  ghcr.io/stacklok/dockyard/npx/context7:latest \
  --format "{{ json .SBOM }}"

Policy Enforcement

Kyverno Example

Enforce that only images with passing MCP security scans can be deployed:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-mcp-security-scan
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-mcp-scan-attestation
      match:
        resources:
          kinds:
            - Pod
      verifyImages:
        - imageReferences:
            - "ghcr.io/stacklok/dockyard/*"
          attestations:
            - type: https://in-toto.io/attestation/scai/v0.3
              attestors:
                - entries:
                    - keyless:
                        issuer: https://token.actions.githubusercontent.com
                        subject: "https://github.com/stacklok/dockyard/.github/workflows/build-containers.yml@*"
              conditions:
                - all:
                    - key: "{{ attributes[0].attribute }}"
                      operator: Equals
                      value: "MCP_SECURITY_SCAN_PASSED"

OPA/Gatekeeper Example

package dockyard.security

deny[msg] {
  input.predicate.attributes[_].attribute != "MCP_SECURITY_SCAN_PASSED"
  msg := "MCP security scan did not pass"
}

deny[msg] {
  input.predicate.attributes[_].conditions.blockingIssues > 0
  msg := sprintf("Found %d blocking security issues", [input.predicate.attributes[_].conditions.blockingIssues])
}

References