diff --git a/docs/source/_static/images/tutorial_osi_toga.png b/docs/source/_static/images/tutorial_osi_toga.png
new file mode 100644
index 000000000..10f6a84a4
Binary files /dev/null and b/docs/source/_static/images/tutorial_osi_toga.png differ
diff --git a/docs/source/_static/images/tutorial_semver_7.6.2_report.png b/docs/source/_static/images/tutorial_semver_7.7.2_report.png
similarity index 100%
rename from docs/source/_static/images/tutorial_semver_7.6.2_report.png
rename to docs/source/_static/images/tutorial_semver_7.7.2_report.png
diff --git a/docs/source/_static/images/tutorial_toga_github.png b/docs/source/_static/images/tutorial_toga_github.png
new file mode 100644
index 000000000..d2c567837
Binary files /dev/null and b/docs/source/_static/images/tutorial_toga_github.png differ
diff --git a/docs/source/_static/images/tutorial_toga_local.png b/docs/source/_static/images/tutorial_toga_local.png
new file mode 100644
index 000000000..9de063eaa
Binary files /dev/null and b/docs/source/_static/images/tutorial_toga_local.png differ
diff --git a/docs/source/_static/images/tutorial_toga_pypi.png b/docs/source/_static/images/tutorial_toga_pypi.png
new file mode 100644
index 000000000..4c8ab7257
Binary files /dev/null and b/docs/source/_static/images/tutorial_toga_pypi.png differ
diff --git a/docs/source/_static/images/tutorial_urllib3_github.png b/docs/source/_static/images/tutorial_urllib3_github.png
new file mode 100644
index 000000000..01065b776
Binary files /dev/null and b/docs/source/_static/images/tutorial_urllib3_github.png differ
diff --git a/docs/source/pages/tutorials/commit_finder.rst b/docs/source/pages/tutorials/commit_finder.rst
index f0338c7d2..23dc4e46a 100644
--- a/docs/source/pages/tutorials/commit_finder.rst
+++ b/docs/source/pages/tutorials/commit_finder.rst
@@ -164,4 +164,4 @@ Future Work
Mapping artifact to commits within repositories is a challenging endeavour. Macron's Commit Finder feature relies on repositories having and using version tags in a sensible way (a tag is considered sensible if it closely matches the version it represents). An alternative, or complimentary, approach would be to make use of the information found within provenance files, where information such as the commit hash used to create the artifact can potentially be found. Additionally, it should be noted that the Commit Finder feature was modelled on the intentions of developers (in terms of tag usage) within a large quantity of Java projects. As tag formatting is "generally" language agnostic in the same way that versioning schemes are, this feature should work well for other languages. However, there may be some improvements to be made by further testing on a large number of non-Java projects.
-.. note:: Macaron now supports extracting repository URLs and commit hashes from provenance files. This is demonstrated in a new tutorial: :doc:`npm_provenance `.
+.. note:: Macaron now supports extracting repository URLs and commit hashes from provenance files. This is demonstrated in a new tutorial: :doc:`provenance `.
diff --git a/docs/source/pages/tutorials/index.rst b/docs/source/pages/tutorials/index.rst
index d16c56f70..bc6bfdb28 100644
--- a/docs/source/pages/tutorials/index.rst
+++ b/docs/source/pages/tutorials/index.rst
@@ -20,7 +20,7 @@ For the full list of supported technologies, such as CI services, registries, an
commit_finder
detect_malicious_package
detect_vulnerable_github_actions
- npm_provenance
+ provenance
detect_malicious_java_dep
generate_verification_summary_attestation
use_verification_summary_attestation
diff --git a/docs/source/pages/tutorials/npm_provenance.rst b/docs/source/pages/tutorials/npm_provenance.rst
deleted file mode 100644
index 6a591e716..000000000
--- a/docs/source/pages/tutorials/npm_provenance.rst
+++ /dev/null
@@ -1,168 +0,0 @@
-.. Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
-.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
-
---------------------------------------------------
-Provenance discovery, extraction, and verification
---------------------------------------------------
-
-This tutorial demonstrates how Macaron can automatically retrieve provenance for npm artifacts, validate the contents, and verify the authenticity. Any artifact that can be analyzed and checked for these properties can then be trusted to a greater degree than would be otherwise possible, as provenance files provide verifiable information, such as the commit and build service pipeline that has triggered the release.
-
-For npm artifacts, Macaron makes use of available features provided by `npm `_. Most importantly, npm allows developers to generate provenance files when publishing their artifacts. The `semver `_ package is chosen as an example for this tutorial.
-
-******************************
-Installation and Prerequisites
-******************************
-
-Skip this section if you already know how to install Macaron.
-
-.. toggle::
-
- Please follow the instructions :ref:`here `. In summary, you need:
-
- * Docker
- * the ``run_macaron.sh`` script to run the Macaron image.
-
- .. note:: At the moment, Docker alternatives (e.g. podman) are not supported.
-
-
- You also need to provide Macaron with a GitHub token through the ``GITHUB_TOKEN`` environment variable.
-
- To obtain a GitHub Token:
-
- * Go to ``GitHub settings`` → ``Developer Settings`` (at the bottom of the left side pane) → ``Personal Access Tokens`` → ``Fine-grained personal access tokens`` → ``Generate new token``. Give your token a name and an expiry period.
- * Under ``"Repository access"``, choosing ``"Public Repositories (read-only)"`` should be good enough in most cases.
-
- Now you should be good to run Macaron. For more details, see the documentation :ref:`here `.
-
-********
-Analysis
-********
-
-To perform an analysis on the latest version of semver (when this tutorial was written), Macaron can be run with the following command:
-
-.. code-block:: shell
-
- ./run_macaron.sh analyze -purl pkg:npm/semver@7.6.2 --verify-provenance
-
-The analysis involves Macaron downloading the contents of the target repository to the configured, or default, ``output`` folder. Results from the analysis, including checks, are stored in the database found at ``output/macaron.db`` (See :ref:`Output Files Guide `). Once the analysis is complete, Macaron will also produce a report in the form of a HTML file.
-
-.. note:: If you are unfamiliar with PackageURLs (purl), see this link: `PURLs `_.
-
-During this analysis, Macaron will retrieve two provenance files from the npm registry. One is a :term:`SLSA` v1.0 provenance, while the other is a npm specific publication provenance. The SLSA provenance provides details of the artifact it relates to, the repository it was built from, and the build action used to build it. The npm specific publication provenance exists if the SLSA provenance has been verified before publication.
-
-.. note:: Most of the details from the two provenance files can be found through the links provided on the artifacts page on the npm website. In particular: `Sigstore Rekor `_. The provenance file itself can be found at: `npm registry `_.
-
-Of course to reliably say the above does what is claimed here, proof is needed. For this we can rely on the check results produced from the analysis run. In particular, we want to know the results of three checks: ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``. The first two to ensure that the commit and the repository being analyzed match those found in the provenance file, and the last check to ensure that the provenance file has been verified. For the third check to succeed, you need to enable provenance verification in Macaron by using the ``--verify-provenance`` command-line argument, as demonstrated above. This verification is disabled by default because it can be slow in some cases due to I/O-bound operations.
-
-.. _fig_semver_7.6.2_report:
-
-.. figure:: ../../_static/images/tutorial_semver_7.6.2_report.png
- :alt: HTML report for ``semver 7.6.2``, summary
- :align: center
-
-
-This image shows that the report produced by the previous analysis has pass results for the three checks of interest. This can also be viewed directly by opening the report file:
-
-.. code-block:: shell
-
- open output/reports/npm/semver/semver.html
-
-*****************************
-Run ``verify-policy`` command
-*****************************
-
-Another feature of Macaron is policy verification. This allows Macaron to report on whether an artifact meets the security requirements specified by the user. Policies are written using `Soufflé Datalog `_ , a language similar to SQL. Results collected by the ``analyze`` command can be checked via declarative queries in the created policy, which Macaron can then automatically check.
-
-For this tutorial, we can create a policy that checks whether the three checks (as above) have passed. In this way we can be sure that the requirement is satisfied without having to dive into the reports directly.
-
-.. code-block:: prolog
-
- #include "prelude.dl"
-
- Policy("has-verified-provenance", component_id, "Require a verified provenance file.") :-
- check_passed(component_id, "mcn_provenance_derived_repo_1"),
- check_passed(component_id, "mcn_provenance_derived_commit_1"),
- check_passed(component_id, "mcn_provenance_verified_1").
-
- apply_policy_to("has-verified-provenance", component_id) :-
- is_component(component_id, "pkg:npm/semver@7.6.2").
-
-After including some helper rules, the above policy is defined as requiring all three of the checks to pass through the ``check_passed(, )`` mechanism. The target is then defined by the criteria applied to the policy. In this case, the artifact with a PURL that matches the version of ``semver`` used in this tutorial: ``pkg:npm/semver@7.6.2``. With this check saved to a file, say ``verified.dl``, we can run it against Macaron's local database to confirm that the analysis we performed earlier in this tutorial did indeed pass all three checks.
-
-.. code-block:: shell
-
- ./run_macaron.sh verify-policy -d output/macaron.db -f verified.dl
-
-The result of this command should show that the policy we have written succeeds on the ``semver`` library. As follows:
-
-.. code-block:: javascript
-
- component_satisfies_policy
- ['1', 'pkg:npm/semver@7.6.2', 'has-verified-provenance']
- component_violates_policy
- failed_policies
- passed_policies
- ['has-verified-provenance']
-
-Additionally, if we had happened to run some more analyses on other versions of ``semver``, we could also apply the policy to them with only a small modification:
-
-.. code-block:: prolog
-
- apply_policy_to("has-verified-provenance", component_id) :-
- is_component(component_id, purl),
- match("pkg:npm/semver@.*", purl).
-
-With this modification, all versions of ``semver`` previously analysed will show up when the policy is run again. Like so:
-
-.. code-block:: javascript
-
- component_satisfies_policy
- ['1', 'pkg:npm/semver@7.6.2', 'has-verified-provenance']
- ['2', 'pkg:npm/semver@7.6.0', 'has-verified-provenance']
- component_violates_policy
- ['3', 'pkg:npm/semver@1.0.0', 'has-verified-provenance']
- failed_policies
- ['has-verified-provenance']
-
-Here we can see that the newer versions, 7.6.2 and 7.6.0, passed the checks, meaning they have verified provenance. The much older version, 1.0.0, did not pass the checks, which is not surprising given that it was published 13 years before this tutorial was made.
-
-However, if we wanted to acknowledge that earlier versions of the artifact do not have provenance, and accept that as part of the policy, we can do that too. For this to succeed we need to extend the policy with more complicated modifications.
-
-.. code-block:: prolog
-
- #include "prelude.dl"
-
- Policy("has-verified-provenance-or-is-excluded", component_id, "Require a verified provenance file.") :-
- check_passed(component_id, "mcn_provenance_derived_repo_1"),
- check_passed(component_id, "mcn_provenance_derived_commit_1"),
- check_passed(component_id, "mcn_provenance_verified_1"),
- !exception(component_id).
-
- Policy("has-verified-provenance-or-is-excluded", component_id, "Make exception for older artifacts.") :-
- exception(component_id).
-
- .decl exception(component_id: number)
- exception(component_id) :-
- is_component(component_id, purl),
- match("pkg:npm/semver@[0-6][.].*", purl).
-
- apply_policy_to("has-verified-provenance-or-is-excluded", component_id) :-
- is_component(component_id, purl),
- match("pkg:npm/semver@.*", purl).
-
-In this final policy, we declare (``.decl``) a new rule called ``exception`` that utilises more regular expression in its ``match`` constraint to exclude artifacts that were published before provenance generation was supported. For this tutorial, we have set the exception to accept any versions of ``semver`` that starts with a number between 0 and 6 using the regular expression range component of ``[0-6]``. Then we modify the previous ``Policy`` so that it expects the same three checks to pass, but only if the exception rule is not applicable -- the exclamation mark before the exception negates the requirement. Finally, we add a new ``Policy`` that applies only to those artifacts that match the exception rule.
-
-When run, this updated policy produces the following:
-
-.. code-block:: javascript
-
- component_satisfies_policy
- ['1', 'pkg:npm/semver@7.6.2', 'has-verified-provenance-or-is-excluded']
- ['2', 'pkg:npm/semver@7.6.0', 'has-verified-provenance-or-is-excluded']
- ['3', 'pkg:npm/semver@1.0.0', 'has-verified-provenance-or-is-excluded']
- component_violates_policy
- failed_policies
- passed_policies
- ['has-verified-provenance-or-is-excluded']
-
-Now all versions pass the policy check.
diff --git a/docs/source/pages/tutorials/provenance.rst b/docs/source/pages/tutorials/provenance.rst
new file mode 100644
index 000000000..bef12d983
--- /dev/null
+++ b/docs/source/pages/tutorials/provenance.rst
@@ -0,0 +1,332 @@
+.. Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+.. Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+--------------------------------------------------
+Provenance discovery, extraction, and verification
+--------------------------------------------------
+
+This tutorial demonstrates how Macaron can automatically retrieve provenance for artifacts, validate the contents, and verify the authenticity. Any artifact that can be analyzed and checked for these properties can then be trusted to a greater degree than would be otherwise possible, as provenance files provide verifiable information, such as the commit and build service pipeline that has triggered the release.
+
+Currently, Macaron supports discovery of attestation for:
+
+ * npm artifacts using features provided by `npm `_
+ * PyPI artifacts using features provided by `Open Source Insights `_
+ * Artifacts that have published attestations to, or released as assets to `GitHub `_
+ * Attestation provided by the user to Macaron via the CLI
+
+This tutorial uses example packages to demonstrate these discovery methods: The `semver `_ npm package, the `toga `_ PyPI package, and the `urllib3 `_ PyPI package.
+
+.. contents:: :local:
+
+******************************
+Installation and Prerequisites
+******************************
+
+Skip this section if you already know how to install Macaron.
+
+.. toggle::
+
+ Please follow the instructions :ref:`here `. In summary, you need:
+
+ * Docker
+ * the ``run_macaron.sh`` script to run the Macaron image.
+
+ .. note:: At the moment, Docker alternatives (e.g. podman) are not supported.
+
+
+ You also need to provide Macaron with a GitHub token through the ``GITHUB_TOKEN`` environment variable.
+
+ To obtain a GitHub Token:
+
+ * Go to ``GitHub settings`` → ``Developer Settings`` (at the bottom of the left side pane) → ``Personal Access Tokens`` → ``Fine-grained personal access tokens`` → ``Generate new token``. Give your token a name and an expiry period.
+ * Under ``"Repository access"``, choosing ``"Public Repositories (read-only)"`` should be good enough in most cases.
+
+ Now you should be good to run Macaron. For more details, see the documentation :ref:`here `.
+
+The analyses in this tutorial involve downloading the contents of a target repository to the configured, or default, ``output`` folder. Results from the analyses, including checks, are stored in the database found at ``output/macaron.db`` (See :ref:`Output Files Guide `). Once the analysis is complete, Macaron will also produce a report in the form of a HTML file.
+
+.. note:: If you are unfamiliar with PackageURLs (purl), see this link: `PURLs `_.
+
+**************************************
+Attestation Discovery for semver (npm)
+**************************************
+
+To perform an analysis on the latest version of semver (when this tutorial was written), Macaron can be run with the following command:
+
+.. code-block:: shell
+
+ ./run_macaron.sh analyze -purl pkg:npm/semver@7.7.2 --verify-provenance
+
+During this analysis, Macaron will retrieve two provenance files from the npm registry. One is a :term:`SLSA` v1.0 provenance, while the other is a npm specific publication provenance. The SLSA provenance provides details of the artifact it relates to, the repository it was built from, and the build action used to build it. The npm specific publication provenance exists if the SLSA provenance has been verified before publication.
+
+.. note:: Most of the details from the two provenance files can be found through the links provided on the artifacts page on the npm website. In particular: `Sigstore Rekor `_. The provenance file itself can be found at: `npm registry `_.
+
+Of course to reliably say the above does what is claimed here, proof is needed. For this we can rely on the check results produced from the analysis run. In particular, we want to know the results of three checks: ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``. The first two to ensure that the commit and the repository being analyzed match those found in the provenance file, and the last check to ensure that the provenance file has been verified. For the third check to succeed, you need to enable provenance verification in Macaron by using the ``--verify-provenance`` command-line argument, as demonstrated above. This verification is disabled by default because it can be slow in some cases due to I/O-bound operations.
+
+.. _fig_semver_7.7.2_report:
+
+.. figure:: ../../_static/images/tutorial_semver_7.7.2_report.png
+ :alt: HTML report for ``semver 7.7.2``, summary
+ :align: center
+
+This image shows that the report produced by the previous analysis has pass results for the three checks of interest. This can also be viewed directly by opening the report file:
+
+.. code-block:: shell
+
+ open output/reports/npm/semver/semver.html
+
+The check results of this example (and others) can be automatically verified. A demonstration of verification for this case is provided later in this tutorial.
+
+*************************************
+Attestation Discovery for toga (PyPI)
+*************************************
+
+To perform an analysis on the latest version of toga (when this tutorial was written), Macaron can be run with the following command:
+
+.. code-block:: shell
+
+ ./run_macaron.sh analyze -purl pkg:pypi/toga@0.5.1
+
+During this analysis, Macaron will retrieve information from two sources to attempt to discover a PyPI attestation file. Firstly, Open Source Insights will be queried for an attestation URL that can be used to access the desired information. If found, this URL can be followed to its source on the PyPI package registry, which is where the actual attestation file is hosted.
+
+As an example of these internal steps, the attestation information can be seen via the `Open Source Insights API `_. From this information the PyPI attestation URL is extracted, revealing its location: `https://pypi.org/integrity/toga/0.5.1/toga-0.5.1-py3-none-any.whl/provenance `_.
+
+.. _fig_toga_osi_api:
+
+.. figure:: ../../_static/images/tutorial_osi_toga.png
+ :alt: Open Source Insight's API result for toga package
+ :align: center
+
+This image shows the attestation URL found in the Open Source Insight API result.
+
+By using the Open Source Insights API, Macaron can check that the discovered provenance is verified, as well as being a valid match of the user provided PURL. For this we can rely on the check results produced from the analysis run. In particular, we want to know the results of three checks: ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``. The first two to ensure that the commit and the repository being analyzed match those found in the provenance file, and the last check to ensure that the provenance file has been verified.
+
+.. _fig_toga_pypi_checks:
+
+.. figure:: ../../_static/images/tutorial_toga_pypi.png
+ :alt: HTML report for ``toga 0.5.1``, summary
+ :align: center
+
+All three checks show they have passed, meaning Macaron has discovered the correct provenance for the user provided PURL, and determined that it is verified. To access the full report use the following:
+
+.. code-block:: shell
+
+ open output/reports/pypi/toga/toga.html
+
+***************************************
+Attestation Discovery for toga (GitHub)
+***************************************
+
+The toga library is interesting in that it has GitHub attestation or PyPI attestation depending on which particular version of it is analyzed. To discover a GitHub attestation, we can analyze version 0.4.8:
+
+.. code-block:: shell
+
+ ./run_macaron.sh analyze -purl pkg:pypi/toga@0.4.8
+
+During this analysis, Macaron will attempt to discover a GitHub attestation by computing the hash of the relevant artifact. This is a requirement of GitHub's API to view artifact attestation, see the `GitHub Attestation API `_. The hash is computed by downloading the artifact and analysing it with the SHA256 algorithm. With the hash, the GitHub API can be called to find the related attestation.
+
+In this particular case, the SHA256 hash of the toga 0.4.8 artifact is 0814a72abb0a9a5f22c32cc9479c55041ec30cdf4b12d73a0017aee58f9a1f00. A GitHub attestation can be found for this artifact `here `_.
+
+Attestation discovered through GitHub is signed with verified signatures. As long as the repository URL and commit digest associated with the user provided PURL match what is found within the attestation, Macaron can report it as verified. Therefore, we can examine the results of three checks: ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``.
+
+.. _fig_toga_github_checks:
+
+.. figure:: ../../_static/images/tutorial_toga_github.png
+ :alt: HTML report for ``toga 0.4.8``, summary
+ :align: center
+
+This image shows that both checks have passed, confirming that the repository URL and commit digest from the provenance match those associated with the user provided PURL. To access the full report use the following:
+
+.. code-block:: shell
+
+ open output/reports/pypi/toga/toga.html
+
+
+******************************************
+Attestation discovery for urllib3 (GitHub)
+******************************************
+
+To demonstrate GitHub attestation being found from released assets on the platform, we use the urllib3 library.
+
+.. code-block:: shell
+
+ ./run_macaron.sh analyze -purl pkg:pypi/urllib3@2.0.0a1 --verify-provenance
+
+As part of this analysis, Macaron ends up downloading three different asset files: The `attestation asset `_, the artifact's Python wheel file, and the artifact's compressed archive. By examining the attestation, Macaron can verify the two other files. This analysis can then report that provenance exists, and is verified.
+
+If we look at the results of three of Macaron's checks we can validate this result: ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``.
+
+.. _fig_urllib3_github_checks:
+
+.. figure:: ../../_static/images/tutorial_urllib3_github.png
+ :alt: HTML report for ``urllib3 2.0.0a1``, summary
+ :align: center
+
+This image shows that all three checks have passed, confirming that the repository URL and commit digest from the provenance match those associated with the user provided PURL, and that the provenance is verified. To access the full report use the following:
+
+.. code-block:: shell
+
+ open output/reports/pypi/urllib3/urllib3.html
+
+**********************************
+Local attestation discovery (toga)
+**********************************
+
+If an attestation file already exists in a local directory, it makes more sense to use it than download it again. For this example case we rely on the attestation URL found for ``toga@0.4.8`` earlier in the tutorial. To download this file in the current directory, use the following command:
+
+.. code-block:: shell
+
+ curl https://api.github.com/repos/beeware/toga/attestations/sha256:0814a72abb0a9a5f22c32cc9479c55041ec30cdf4b12d73a0017aee58f9a1f00 -o toga_0.4.8_attestation.json
+
+
+With the attestation downloaded, we can run the analysis and pass it in as an argument. Like so:
+
+.. code-block:: shell
+
+ ./run_macaron.sh analyze -purl pkg:pypi/toga@0.4.8 -pf toga_0.4.8_attestation.json
+
+To then determine that the provenance was accepted and matched the analysis target, we can examine the results of Macaron's checks: ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``.
+
+.. note:: Because the provenance file was provided by the user, we expect the provenance verification check to fail.
+
+.. _fig_toga_local_checks:
+
+.. figure:: ../../_static/images/tutorial_toga_local.png
+ :alt: HTML report for ``toga 0.4.8`` local, summary
+ :align: center
+
+This image shows that the repository and commit validation checks have passed, confirming that the provenance matches the analysis target. The verification check fails as expected. To view the report directly, use this command:
+
+.. code-block:: shell
+
+ open output/reports/pypi/toga/toga.html
+
+***************************
+Supported Attestation Types
+***************************
+
+When attestation is provided to Macaron as input, it must be of one of the support types in order to be accepted. Support is defined by the ``predicateType`` and ``buildType`` properties within an attestation.
+
+Predicate Types
+~~~~~~~~~~~~~~~
+
+ * SLSA v0.1
+ * SLSA v0.2
+ * SLSA v1.0
+ * Witness v0.1
+
+
+Build Types
+~~~~~~~~~~~
+
+.. csv-table::
+ :header: "Name", "Build Type"
+
+ "SLSA GitHub Generic v0.1", "https://github.com/slsa-framework/slsa-github-generator/generic@v1"
+ "SLSA GitHub Actions v1.0", "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1"
+ "SLSA npm CLI v2.0", "https://github.com/npm/cli/gha/v2"
+ "SLSA Google Cloud Build v1.0", "https://slsa-framework.github.io/gcb-buildtypes/triggered-build/v1"
+ "SLSA Oracle Cloud Infrastructure v1.0", "https://github.com/oracle/macaron/tree/main/src/macaron/resources/provenance-buildtypes/oci/v1"
+ "Witness GitLab v0.1", "https://witness.testifysec.com/attestation-collection/v0.1"
+
+
+
+**************************************
+Run ``verify-policy`` command (semver)
+**************************************
+
+Another feature of Macaron is policy verification, which allows it to assess whether an artifact meets user-defined security requirements. This feature can also be integrated into CI/CD pipelines to automatically check policy compliance by returning appropriate error codes based on pass or fail status. Policies are written using `Soufflé Datalog `_ , a language similar to SQL. Results collected by the ``analyze`` command can be checked via declarative queries in the created policy, which Macaron can then automatically check.
+
+For this tutorial, we can create a policy that checks whether the three checks relating to the semver npm example above have passed. E.g. ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``. In this way we can be sure that the requirement is satisfied without having to dive into the reports directly.
+
+.. code-block:: prolog
+
+ #include "prelude.dl"
+
+ Policy("has-verified-provenance", component_id, "Require a verified provenance file.") :-
+ check_passed(component_id, "mcn_provenance_derived_repo_1"),
+ check_passed(component_id, "mcn_provenance_derived_commit_1"),
+ check_passed(component_id, "mcn_provenance_verified_1").
+
+ apply_policy_to("has-verified-provenance", component_id) :-
+ is_component(component_id, "pkg:npm/semver@7.7.2").
+
+After including some helper rules, the above policy is defined as requiring all three of the checks to pass through the ``check_passed(, )`` mechanism. The target is then defined by the criteria applied to the policy. In this case, the artifact with a PURL that matches the version of ``semver`` used in this tutorial: ``pkg:npm/semver@7.7.2``. With this check saved to a file, say ``verified.dl``, we can run it against Macaron's local database to confirm that the analysis we performed earlier in this tutorial did indeed pass all three checks.
+
+.. code-block:: shell
+
+ ./run_macaron.sh verify-policy -d output/macaron.db -f verified.dl
+
+The result of this command should show that the policy we have written succeeds on the ``semver`` library. As follows:
+
+.. code-block:: javascript
+
+ component_satisfies_policy
+ ['1', 'pkg:npm/semver@7.7.2', 'has-verified-provenance']
+ component_violates_policy
+ failed_policies
+ passed_policies
+ ['has-verified-provenance']
+
+Additionally, if we had happened to run some more analyses on other versions of ``semver``, we could also apply the policy to them with only a small modification:
+
+.. code-block:: prolog
+
+ apply_policy_to("has-verified-provenance", component_id) :-
+ is_component(component_id, purl),
+ match("pkg:npm/semver@.*", purl).
+
+With this modification, all versions of ``semver`` previously analysed will show up when the policy is run again. Like so:
+
+.. code-block:: javascript
+
+ component_satisfies_policy
+ ['1', 'pkg:npm/semver@7.7.2', 'has-verified-provenance']
+ ['2', 'pkg:npm/semver@7.6.0', 'has-verified-provenance']
+ component_violates_policy
+ ['3', 'pkg:npm/semver@1.0.0', 'has-verified-provenance']
+ failed_policies
+ ['has-verified-provenance']
+
+Here we can see that the newer versions, 7.7.2 and 7.6.0, passed the checks, meaning they have verified provenance. The much older version, 1.0.0, did not pass the checks, which is not surprising given that it was published 13 years before this tutorial was made.
+
+However, if we wanted to acknowledge that earlier versions of the artifact do not have provenance, and accept that as part of the policy, we can do that too. For this to succeed we need to extend the policy with more complicated modifications.
+
+.. code-block:: prolog
+
+ #include "prelude.dl"
+
+ Policy("has-verified-provenance-or-is-excluded", component_id, "Require a verified provenance file.") :-
+ check_passed(component_id, "mcn_provenance_derived_repo_1"),
+ check_passed(component_id, "mcn_provenance_derived_commit_1"),
+ check_passed(component_id, "mcn_provenance_verified_1"),
+ !exception(component_id).
+
+ Policy("has-verified-provenance-or-is-excluded", component_id, "Make exception for older artifacts.") :-
+ exception(component_id).
+
+ .decl exception(component_id: number)
+ exception(component_id) :-
+ is_component(component_id, purl),
+ match("pkg:npm/semver@[0-6][.].*", purl).
+
+ apply_policy_to("has-verified-provenance-or-is-excluded", component_id) :-
+ is_component(component_id, purl),
+ match("pkg:npm/semver@.*", purl).
+
+In this final policy, we declare (``.decl``) a new rule called ``exception`` that utilises more regular expression in its ``match`` constraint to exclude artifacts that were published before provenance generation was supported. For this tutorial, we have set the exception to accept any versions of ``semver`` that starts with a number between 0 and 6 using the regular expression range component of ``[0-6]``. Then we modify the previous ``Policy`` so that it expects the same three checks to pass, but only if the exception rule is not applicable -- the exclamation mark before the exception negates the requirement. Finally, we add a new ``Policy`` that applies only to those artifacts that match the exception rule.
+
+When run, this updated policy produces the following:
+
+.. code-block:: javascript
+
+ component_satisfies_policy
+ ['1', 'pkg:npm/semver@7.7.2', 'has-verified-provenance-or-is-excluded']
+ ['2', 'pkg:npm/semver@7.6.0', 'has-verified-provenance-or-is-excluded']
+ ['3', 'pkg:npm/semver@1.0.0', 'has-verified-provenance-or-is-excluded']
+ component_violates_policy
+ failed_policies
+ passed_policies
+ ['has-verified-provenance-or-is-excluded']
+
+Now all versions pass the policy check.
diff --git a/src/macaron/provenance/provenance_extractor.py b/src/macaron/provenance/provenance_extractor.py
index f2c54c607..4366ab299 100644
--- a/src/macaron/provenance/provenance_extractor.py
+++ b/src/macaron/provenance/provenance_extractor.py
@@ -159,7 +159,7 @@ def _extract_from_slsa_v1(payload: InTotoV1Payload) -> tuple[str | None, str | N
repo = json_extract(predicate, ["buildDefinition", "externalParameters", "sourceToBuild", "repository"], str)
if not repo:
repo = json_extract(predicate, ["buildDefinition", "externalParameters", "configSource", "repository"], str)
- elif isinstance(build_def, SLSAGithubActionsBuildDefinitionV1):
+ elif isinstance(build_def, (SLSAGithubActionsBuildDefinitionV1, GitHubActionsBuildDefinition)):
repo = json_extract(predicate, ["buildDefinition", "externalParameters", "workflow", "repository"], str)
elif isinstance(build_def, SLSAOCIBuildDefinitionV1):
repo = json_extract(predicate, ["buildDefinition", "externalParameters", "source"], str)
@@ -504,7 +504,7 @@ def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement
class SLSANPMCLIBuildDefinitionV2(ProvenanceBuildDefinition):
- """Class representing the SLSA NPM CLI Build Definition (v12).
+ """Class representing the SLSA NPM CLI Build Definition (v2).
This class implements the abstract methods from the `ProvenanceBuildDefinition`
to extract build invocation details specific to the GitHub Actions build type.
@@ -684,6 +684,43 @@ def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement
return gha_workflow, invocation_url
+class GitHubActionsBuildDefinition(ProvenanceBuildDefinition):
+ """Class representing the GitHub Actions Build Definition (v1).
+
+ This class implements the abstract methods defined in `ProvenanceBuildDefinition`
+ to extract build invocation details specific to the GitHub actions attestation build type.
+ """
+
+ #: Determines the expected ``buildType`` field in the provenance predicate.
+ expected_build_type = "https://actions.github.io/buildtypes/workflow/v1"
+
+ def get_build_invocation(self, statement: InTotoV01Statement | InTotoV1Statement) -> tuple[str | None, str | None]:
+ """Retrieve the build invocation information from the given statement.
+
+ Parameters
+ ----------
+ statement : InTotoV1Statement | InTotoV01Statement
+ The provenance statement from which to extract the build invocation
+ details. This statement contains the metadata about the build process
+ and its associated artifacts.
+
+ Returns
+ -------
+ tuple[str | None, str | None]
+ A tuple containing two elements:
+ - The first element is the build invocation entry point (e.g., workflow name), or None if not found.
+ - The second element is the invocation URL or identifier (e.g., job URL), or None if not found.
+ """
+ if statement["predicate"] is None:
+ return None, None
+
+ gha_workflow = json_extract(
+ statement["predicate"], ["buildDefinition", "externalParameters", "workflow", "path"], str
+ )
+ invocation_url = json_extract(statement["predicate"], ["runDetails", "metadata", "invocationId"], str)
+ return gha_workflow, invocation_url
+
+
class ProvenancePredicate:
"""Class providing utility methods for handling provenance predicates.
@@ -750,6 +787,7 @@ def find_build_def(statement: InTotoV01Statement | InTotoV1Statement) -> Provena
SLSAOCIBuildDefinitionV1(),
WitnessGitLabBuildDefinitionV01(),
PyPICertificateDefinition(),
+ GitHubActionsBuildDefinition(),
]
for build_def in build_defs:
diff --git a/src/macaron/slsa_analyzer/analyzer.py b/src/macaron/slsa_analyzer/analyzer.py
index 8c0faaad8..8fcebc381 100644
--- a/src/macaron/slsa_analyzer/analyzer.py
+++ b/src/macaron/slsa_analyzer/analyzer.py
@@ -513,6 +513,15 @@ def run_single(
artifact_hash = self.get_artifact_hash(parsed_purl, local_artifact_dirs, package_registries_info)
if artifact_hash:
provenance_payload = self.get_github_attestation_payload(analyze_ctx, git_service, artifact_hash)
+ if provenance_payload:
+ try:
+ provenance_repo_url, provenance_commit_digest = extract_repo_and_commit_from_provenance(
+ provenance_payload
+ )
+ # Attestations found from GitHub are signed and verified.
+ provenance_is_verified = True
+ except ProvenanceError as error:
+ logger.debug("Failed to extract from provenance: %s", error)
if parsed_purl is not None:
self._verify_repository_link(parsed_purl, analyze_ctx)
diff --git a/src/macaron/slsa_analyzer/provenance/loader.py b/src/macaron/slsa_analyzer/provenance/loader.py
index 106cc03b5..3e9d9b1b0 100644
--- a/src/macaron/slsa_analyzer/provenance/loader.py
+++ b/src/macaron/slsa_analyzer/provenance/loader.py
@@ -123,6 +123,9 @@ def decode_provenance(provenance: dict) -> dict[str, JsonType]:
# GitHub Attestation.
# TODO Check if old method (above) actually works.
provenance_payload = json_extract(provenance, ["bundle", "dsseEnvelope", "payload"], str)
+ if not provenance_payload and "attestations" in provenance:
+ # Check for multiple attestation and return the first instance.
+ provenance_payload = json_extract(provenance, ["attestations", 0, "bundle", "dsseEnvelope", "payload"], str)
if not provenance_payload:
raise LoadIntotoAttestationError(
'Cannot find the "payload" field in the decoded provenance.',
diff --git a/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_6_2.dl b/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_7_2.dl
similarity index 80%
rename from tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_6_2.dl
rename to tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_7_2.dl
index 60c4a4df2..5279c569e 100644
--- a/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_6_2.dl
+++ b/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_7_2.dl
@@ -1,4 +1,4 @@
-/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
+/* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
#include "prelude.dl"
@@ -9,4 +9,4 @@ Policy("has-verified-provenance", component_id, "Require a verified provenance f
check_passed(component_id, "mcn_provenance_verified_1").
apply_policy_to("has-verified-provenance", component_id) :-
- is_component(component_id, "pkg:npm/semver@7.6.2").
+ is_component(component_id, "pkg:npm/semver@7.7.2").
diff --git a/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_6_x.dl b/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_x.dl
similarity index 83%
rename from tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_6_x.dl
rename to tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_x.dl
index bbfdf3db9..0a59f84d4 100644
--- a/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_6_x.dl
+++ b/tests/integration/cases/tutorial_npm_verify_provenance_semver/policy_7_x.dl
@@ -1,4 +1,4 @@
-/* Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved. */
+/* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
#include "prelude.dl"
@@ -10,4 +10,4 @@ Policy("has-verified-provenance", component_id, "Require a verified provenance f
apply_policy_to("has-verified-provenance", component_id) :-
is_component(component_id, purl),
- match("pkg:npm/semver@7.6.*", purl).
+ match("pkg:npm/semver@7.*", purl).
diff --git a/tests/integration/cases/tutorial_npm_verify_provenance_semver/test.yaml b/tests/integration/cases/tutorial_npm_verify_provenance_semver/test.yaml
index ac11642f4..6b1477cea 100644
--- a/tests/integration/cases/tutorial_npm_verify_provenance_semver/test.yaml
+++ b/tests/integration/cases/tutorial_npm_verify_provenance_semver/test.yaml
@@ -8,17 +8,17 @@ tags:
- tutorial
steps:
-- name: Run macaron analyze semver@7.6.2
+- name: Run macaron analyze semver@7.7.2
kind: analyze
options:
command_args:
- -purl
- - pkg:npm/semver@7.6.2
+ - pkg:npm/semver@7.7.2
- --verify-provenance
-- name: Verify checks for semver@7.6.2
+- name: Verify checks for semver@7.7.2
kind: verify
options:
- policy: policy_7_6_2.dl
+ policy: policy_7_7_2.dl
- name: Run macaron analyze@semver@7.6.0
kind: analyze
options:
@@ -26,10 +26,10 @@ steps:
- -purl
- pkg:npm/semver@7.6.0
- --verify-provenance
-- name: Verify checks for all 7.6.x semver runs
+- name: Verify checks for all 7.x semver runs
kind: verify
options:
- policy: policy_7_6_x.dl
+ policy: policy_7_x.dl
- name: Run macaron analyze semver@1.0.0
kind: analyze
options:
diff --git a/tests/integration/cases/tutorial_toga_local_provenance/policy.dl b/tests/integration/cases/tutorial_toga_local_provenance/policy.dl
new file mode 100644
index 000000000..13aa5ab73
--- /dev/null
+++ b/tests/integration/cases/tutorial_toga_local_provenance/policy.dl
@@ -0,0 +1,12 @@
+/* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
+/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
+
+#include "prelude.dl"
+
+Policy("has-verified-provenance", component_id, "Require a verified provenance file.") :-
+ check_passed(component_id, "mcn_provenance_derived_repo_1"),
+ check_passed(component_id, "mcn_provenance_derived_commit_1"),
+ check_failed(component_id, "mcn_provenance_verified_1").
+
+apply_policy_to("has-verified-provenance", component_id) :-
+ is_component(component_id, "pkg:pypi/toga@0.4.8").
diff --git a/tests/integration/cases/tutorial_toga_local_provenance/test.yaml b/tests/integration/cases/tutorial_toga_local_provenance/test.yaml
new file mode 100644
index 000000000..092dacafa
--- /dev/null
+++ b/tests/integration/cases/tutorial_toga_local_provenance/test.yaml
@@ -0,0 +1,30 @@
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+description: |
+ Analysing the toga library at different versions to find PyPI and GitHub attestation.
+
+tags:
+- tutorial
+
+steps:
+- name: Download the GitHub attestation file
+ kind: shell
+ options:
+ cmd: curl https://api.github.com/repos/beeware/toga/attestations/sha256:0814a72abb0a9a5f22c32cc9479c55041ec30cdf4b12d73a0017aee58f9a1f00 -o toga_0.4.8_attestation.json
+- name: Run macaron analyze toga with local attestation
+ kind: analyze
+ options:
+ command_args:
+ - -purl
+ - pkg:pypi/toga@0.4.8
+ - -pf
+ - toga_0.4.8_attestation.json
+- name: Cleanup local attestation
+ kind: shell
+ options:
+ cmd: rm toga_0.4.8_attestation.json
+- name: Verify analysis results
+ kind: verify
+ options:
+ policy: policy.dl
diff --git a/tests/integration/cases/tutorial_toga_provenance/policy.dl b/tests/integration/cases/tutorial_toga_provenance/policy.dl
new file mode 100644
index 000000000..7e18aed36
--- /dev/null
+++ b/tests/integration/cases/tutorial_toga_provenance/policy.dl
@@ -0,0 +1,13 @@
+/* Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. */
+/* Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. */
+
+#include "prelude.dl"
+
+Policy("has-verified-provenance", component_id, "Require a verified provenance file.") :-
+ check_passed(component_id, "mcn_provenance_derived_repo_1"),
+ check_passed(component_id, "mcn_provenance_derived_commit_1"),
+ check_passed(component_id, "mcn_provenance_verified_1").
+
+apply_policy_to("has-verified-provenance", component_id) :-
+ is_component(component_id, purl),
+ match("pkg:pypi/toga@*", purl).
diff --git a/tests/integration/cases/tutorial_toga_provenance/test.yaml b/tests/integration/cases/tutorial_toga_provenance/test.yaml
new file mode 100644
index 000000000..2e54d5ce6
--- /dev/null
+++ b/tests/integration/cases/tutorial_toga_provenance/test.yaml
@@ -0,0 +1,27 @@
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+description: |
+ Analysing the toga library at different versions to find PyPI and GitHub attestation.
+
+tags:
+- tutorial
+
+steps:
+- name: Run macaron analyze toga with PyPI attestation
+ kind: analyze
+ options:
+ command_args:
+ - -purl
+ - pkg:pypi/toga@0.5.1
+- name: Run macaron analyze toga with GitHub attestation
+ kind: analyze
+ options:
+ command_args:
+ - -purl
+ - pkg:pypi/toga@0.4.8
+ - --verify-provenance
+- name: Verify provenance exists for both analyses
+ kind: verify
+ options:
+ policy: policy.dl
diff --git a/tests/integration/cases/urllib3_expectation_file/test.yaml b/tests/integration/cases/urllib3_expectation_file/test.yaml
index 21441d0a5..eb267de5e 100644
--- a/tests/integration/cases/urllib3_expectation_file/test.yaml
+++ b/tests/integration/cases/urllib3_expectation_file/test.yaml
@@ -8,6 +8,7 @@ description: |
tags:
- macaron-python-package
- macaron-docker-image
+- tutorial
steps:
- name: Run macaron analyze with expectation file