From f314ee96bfed8a574a6ab986b60021108d8a71c8 Mon Sep 17 00:00:00 2001
From: John Speed Meyers <54914994+jspeed-meyers@users.noreply.github.com>
Date: Thu, 17 Feb 2022 11:22:49 -0500
Subject: [PATCH] Add intoto type documentation (#679)

* Add in-toto type documentation

Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
---
 pkg/types/intoto/README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 pkg/types/intoto/README.md

diff --git a/pkg/types/intoto/README.md b/pkg/types/intoto/README.md
new file mode 100644
index 0000000..eba7a16
--- /dev/null
+++ b/pkg/types/intoto/README.md
@@ -0,0 +1,13 @@
+**in-toto Type Data Documentation**
+
+This document provides a definition for each field that is not otherwise described in the [in-toto schema](https://github.com/sigstore/rekor/blob/main/pkg/types/intoto/v0.0.1/intoto_v0_0_1_schema.json). This document also notes any additional information about the values associated with each field such as the format in which the data is stored and any necessary transformations.
+
+**Attestation:** authenticated, machine-readable metadata about one or more software artifacts. [SLSA definiton](https://github.com/slsa-framework/slsa/blob/main/controls/attestations.md)
+- The Attestation value ought to be a Base64-encoded JSON object.
+- The [in-toto Attestation specification](https://github.com/in-toto/attestation/blob/main/spec/README.md#statement) provides detailed guidance on understanding and parsing this JSON object.
+
+**AttestationType:** Identifies the type of attestation being made, such as a provenance attestation or a vulnerability scan attestation. AttestationType's value, even when prefixed with an http, is not necessarily a working URL.
+
+**How do you identify an object as an in-toto object?**
+
+The "Body" field will include an "IntotoObj" field.
-- 
GitLab