Giters

rarkins / slsa-github-generator

Language-agnostic SLSA provenance generation for Github Actions

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Generation of SLSA3+ provenance for native GitHub projects

This repository contains tools for generating non-forgeable SLSA provenance on GitHub that meets the build and provenance requirements for SLSA level 3 and above.

Use of the provided GitHub Actions reusable workflows only is not sufficient to meet all of the requirements at SLSA level 3. Specifically, the source requirements are not covered by these workflows and must be handled explicitly to meet all requirements at SLSA level 3+.

This repository contains the code, examples and technical design for system described in the blog post on Non forgeable SLSA provenance using GitHub workflows.

Generation of provenance

Builders

Builders build and generate provenance. They let you meet the build and provenance requirements for SLSA Level 3 and above.

Builders are able to report the exact commands used to generate your artifact in the provenance.

The following builders are available:

  1. Go Builder SLSA Level 3: To generate SLSA provenance for your Go project, follow internal/builders/go/README.md

Provenance-only Generators

Provenance-only generators let you build your artifact, and only generate provenance for you. They let you meet the provenance requirements for SLSA Level 3.

Generators create an attestation to a software artifact coming from your repository.

Generators are not able to report the exact commands used to generate your artifact in the provenance.

To generate SLSA provenance using the provenance-only generator, follow internal/builders/generic/README.md. This is a pre-release only and we will have the official release in July 2022.

Verification of provenance

To verify the provenance, use the github.com/slsa-framework/slsa-verifier project.

Installation

To install the verifier, see slsa-framework/slsa-verifier#installation.

Inputs

The inputs of the verifier are described in slsa-framework/slsa-verifier#available-options.

Command line examples

A command line example is provided in slsa-framework/slsa-verifier#example.

Technical design

Blog post

Find our blog post series here.

Specifications

For a more in-depth technical dive, read the SPECIFICATIONS.md.

Provenance format

The format of the provenance is available in PROVENANCE_FORMAT.md.

About

Language-agnostic SLSA provenance generation for Github Actions

License:Apache License 2.0

Languages

Language:Go 100.0%