Skip to content
gridtrue
Log in Sign up
Docs Collaboration

Attestations

Signed, reproducible statements about what happened on a developer's machine.

An attestation is a structured, signed record that a specific piece of code ran in a specific environment and produced a specific result. Attestations are the only currency on a gridtrue network — policy decisions, audits and Conflict Radar all read from the same stream.

Anatomy

subject
The commit SHA and file subset the attestation applies to.
predicate
What was run — for example build:go, test:jest, local-deploy:compose.
environment
Pinned runtimes, OS, container digests, tool versions. Reproducible by construction.
result
Structured pass / fail plus timing, log digest and exit code.
identity
Cert issued by your org and stored in your OS keyring.
signature
ECDSA P-256 over the canonical JSON of everything above.

Minimum viable attestation

json 
{
  "subject": {
    "commit": "6f4a…d91",
    "paths": ["services/payments/**"]
  },
  "predicate": "test:go",
  "environment": {
    "runtime": "container",
    "image": "ghcr.io/gridtrue/runner-go:1.23@sha256:c7c…",
    "go": "1.23.3"
  },
  "result": {
    "status": "pass",
    "duration_ms": 4812,
    "exit_code": 0
  },
  "identity": "cn=alice,ou=dev,o=acme",
  "signature": "MEUCIQDn…"
}

What you can do with them

  • Gate pushes to protected branches — policy reads attestations from the ledger.
  • Block deploys to staging / prod unless the required attestations exist.
  • Answer 'who verified this change, with what environment, when?' with a single query.
  • Export a signed bundle for auditors — SLSA-compatible on demand.