The Statement is the middle layer of the attestation, binding it to a particular subject and unambiguously identifying the types of the Predicate.
The Statement is represented as a JSON object with the following fields. Additional parsing rules apply.
_type string (TypeURI), required
Identifier for the schema of the Statement. Always
https://in-toto.io/Statement/v1for this version of the spec.
subject array of ResourceDescriptor objects, required
Set of software artifacts that the attestation applies to. Each element represents a single software artifact. Each element MUST have
digestset.Subjects are assumed to be immutable, i.e. the artifacts identified by the subject SHOULD NOT change.
The
namefield may be used as an identifier to distinguish this artifact from others within thesubject. Similarly, other ResourceDescriptor fields may be used as required by the context. The semantics are up to the producer and consumer and they MAY use them when evaluating policy. If the name is not meaningful, leave the field unset or use "_". For example, a SLSA Provenance attestation might use the name to specify output filename, expecting the consumer to only consider entries with a particular name. Alternatively, a vulnerability scan attestation might leave name unset because the results apply regardless of what the artifact is named.If set,
nameanduriSHOULD be unique within subject.IMPORTANT: Subject artifacts are matched purely by digest, regardless of content type. If this matters to you, please comment on GitHub Issue #28
predicateType string (TypeURI), required
URI identifying the type of the Predicate.
predicate object, optional
Additional parameters of the Predicate. Unset is treated the same as set-but-empty. MAY be omitted if
predicateTypefully describes the predicate.
{ "_type": "https://in-toto.io/Statement/v1", "subject": [ { "name": "<NAME>", "digest": {"<ALGORITHM>": "<HEX_VALUE>"} }, ... ], "predicateType": "<URI>", "predicate": { ... } }