Consider allowing attestors to auto-detect/auto-run

[mikhailswift]

Currently users have to explicitly define which attestors they wish to run through a CLI flag, such as witness run -a git,environment. We have a default set of attestors that are automatically set on this flag, but this has caused problems in the past.

An idea that could improve the UX around witness CLI is instead of explicitly stating which attestors should run we could have attestors that detect whether they can run, and if they can they automatically do. For instance in the case of the git attestor it could check to see if a repo exists in the current context and if so automatically run. If one does not, it would not run.

However, there are a few things to consider with this approach, including but not limited to:

1. Some attestors have the potential to record sensitive data that users may not want to be leaked. For instance the environment attestor logs all enviornment variables. This attestor can block list specific variables and currently has a list of well known secret variables it ignores by default, but users may have to add additional configurations for this attestor to prevent secrets from being leaked.

2. We would need a way to specify that we expect an attestor to be required to run and error out if it does not. For instance, a user may expect the oci attestor to run, and if it does not they may want witness run to throw an error if it does not.

3. Some attestors may be non-trivial to determine whether they can run. Picking up if a git repo exists in our current context is a fairly trivial action. However, if we capture the results of a npm install where multiple of thousands products are created, searching all products for an oci image is not so trivial.

4. There may be cases where even though an attestor can run a user may not want it to. Users should be able to opt-out of attestors they explicitly don't want to run.

[kriscoleman]

I like this. It reduces the path of resistance to secure code. Also plays a bit with technology detection.

Would users also still be able to config attestors, say they have a project and they don't want the git attestor to run for some reason (idk), I figure they should be able to opt out of the automatic attestor if they want?

[mikhailswift]

Ah yes, this also belongs in the list of considerations. I'll add it!

[colek42]

Yes! 100%. This would help out the UX an incredible amount. I wonder if we could have it so the plugins could define the "autodetect" code.

[mikhailswift]

Turns out an issue exists for this in our current (very un-groomed) backlog