Expand description
npm Registry Attestation API client.
Fetches Sigstore-based provenance attestations from the npm registry
to enrich DependencySignatureEvidence with signer identity, source
repository, source commit, and transparency log information.
API endpoint: https://registry.npmjs.org/-/npm/v1/attestations/{name}@{version}
Each response contains up to two attestations:
- publish attestation (
predicateType: .../npm/attestation/.../publish/v0.1) - SLSA provenance (
predicateType: https://slsa.dev/provenance/v1)
We extract provenance data from the SLSA provenance attestation’s DSSE envelope payload (base64-encoded in-toto Statement v1).
Structs§
- NpmAttestation
Client - NpmProvenance
- Provenance data extracted from an npm SLSA attestation.