Software Layer

vet

Verify software artifacts before they access sensitive data. Where qualify qualifies the person, vet qualifies the software.

How it works GitHub

How it works

vet is the software supply chain layer of the Provabl suite. Training gates the person. vet gates the software.

1

Sign at build time

Sign artifacts using Sigstore keyless signing โ€” no private key needed. Identity from GitHub Actions OIDC. Signature written to Rekor transparency log.

# In your GitHub Actions release workflow
vet sign pipeline:v1.2 --subject ci@github.com/org/repo
# โœ“ Signed via Sigstore keyless, Rekor log ID: abc123
2

Verify before access

Verify SLSA provenance attestation and CVE status. Fail fast if the artifact doesn't meet policy โ€” before it touches any sensitive data.

vet verify pipeline:v1.2 \
  --source github.com/org/repo \
  --min-slsa-level 2 \
  --check-cves critical
# โœ“ SLSA L2 provenance verified
# โœ“ No critical CVEs in SBOM
3

Gate via Cedar attributes

Write workload verification results as Cedar attributes. attest's Cedar PDP evaluates these alongside training tags โ€” no unverified software accesses CUI data.

vet gate pipeline:v1.2 --policy .vet/policy.yaml
# โœ“ context.workload.SLSALevel = 2
# โœ“ context.workload.CVECritical = false
# โœ“ Cedar attributes written โ€” attest PDP re-evaluates
4

attest Cedar policy enforces it

attest's Cedar policies can require workload verification before granting data access โ€” combining training compliance with software supply chain integrity.

# Cedar policy in attest (compiled from framework):
permit(principal, action, resource in ResourceGroup::"cui-data")
when {
  principal.CUITrainingCurrent == true  // from qualify
  && context.workload.SLSALevel >= 2   // from vet
  && context.workload.CVECritical == false
};

Commands

Four commands, one pipeline: sign โ†’ verify โ†’ sbom โ†’ gate.

vet sign

Sign any artifact โ€” container image, binary, S3 model artifact โ€” using Sigstore keyless signing. Outputs .sig file and Rekor log ID.

vet sign image:tag
vet sign ./binary --subject user@inst.edu
vet sign s3://bucket/model.tar.gz
vet verify

Verify cosign signature, SLSA provenance attestation, and optionally CVE status. Configurable minimum SLSA level.

vet verify image:tag --min-slsa-level 2
vet verify ./binary --source github.com/org/repo
vet verify image:tag --check-cves critical
vet sbom

Generate a Software Bill of Materials in SPDX or CycloneDX format and attach a signed attestation to the GitHub attestation API.

vet sbom image:tag --format spdx --attest
vet sbom image:tag --format cyclonedx
vet sbom ./binary --format spdx
vet gate

Write verification results as Cedar workload attributes. Integrates with attest's Cedar PDP for policy-based access control.

vet gate image:tag --policy .vet/policy.yaml
# writes: SLSALevel, SBOMPresent,
#         CVECritical, CVEHigh, Signed

Reference test case: spore.host

spore.host is vet's reference implementation test case. It exercises the hardest supply chain scenarios because of how it works: a binary that runs on a user's laptop, deploys EC2 instances into an AWS account, uses images from another account, and needs a compliant SRE-resident variant.

1

Local binary verification

The spawn binary runs on the user's laptop. Before it can assume an IAM role in a CUI environment, vet verifies its SLSA provenance from the GitHub Actions release pipeline.

vet verify ~/bin/spawn \
  --source github.com/scttfrdmn/mycelium \
  --min-slsa-level 2
# โœ“ Provenance: built by github.com/scttfrdmn/mycelium@v1.4.0
2

Cross-account AMI trust

spore.host launches instances using AMIs that may originate from a different AWS account. vet verifies the AMI owner is in an approved allowlist and checks for critical CVEs in base OS packages.

vet verify ami-0abcd1234 --type ami \
  --allowed-owner-ids 123456789012 \
  --check-cves critical
# โœ“ AMI owner: 123456789012 (approved)
# โœ“ No critical CVEs in base image packages
3

Laptop โ†’ SRE trust boundary

For CUI environments, an unverified local binary calling SRE APIs is a compliance gap. vet's Cedar gate + ground's IAM trust policy condition close it: the SRE only grants access when the calling binary has a valid vet:slsa-level claim.

vet gate spawn-v1.4.0
# Writes context.workload.SLSALevel=2 for IAM trust evaluation

# ground deploys this trust condition on the user role:
# "aws:PrincipalTag/vet:slsa-level": ["2", "3"]
4

SRE-resident compliant mode

For the most sensitive environments, spore.host can run as a container inside the SRE rather than on a user's laptop. This is the reference implementation of a fully vet-certified workload.

vet sign provabl/spawn-sre:v1.4.0
vet sbom provabl/spawn-sre:v1.4.0 --format spdx --attest
vet verify provabl/spawn-sre:v1.4.0 --min-slsa-level 2
vet gate provabl/spawn-sre:v1.4.0
# โœ“ Container certified for SRE deployment