Proposal: add a field to the VSA schema for policy violations

[djtjwillia]

Currently, the VSA schema shows the policy bundle, and a verificationResult of PASSED or FAILED. Today, based on the VSA, there is no way for consumers of an artifact to determine if they would like to make an exception to use an artifact with a FAILED verifactionResult, as there is no context in the VSA about what violations were found. Similarly, from the VSA, producers do not have any actionable listing on what caused a FAILED state to be determined.

If we add an optional field, policyViolations, that would be a collection of name, description pairs that could be output by the policy evaluator to provide detail on this policy violations then either consumers or producers could address or use FAILED policy artifacts with a higher level of ease and confidence. This would also benefit those who may currently be creating custom attestations specifically for policy results.

[trishankatdatadog]

Thanks for opening this issue, Taylor!

@TomHennen @adityasaky What is our current thinking on failure modes for VSA again? Do we want a VSA that says a policy failed to verify and why exactly? I think so: I can imagine use cases where that is very useful (e.g., a latest failed ticket that supersedes a previous successful one).