ratify icon indicating copy to clipboard operation
ratify copied to clipboard
verified publisher icon ratify-project

add support for SLSA provenance verification

Open sozercan opened this issue 3 years ago • 5 comments

example scenario: check if an image was built from a specific repo, with a specific branch/commit, include certain reviewers, etc

https://slsa.dev/provenance/v0.2

sozercan avatar Apr 13 '22 22:04 sozercan

thanks for bringing this up @sozercan. Do you think the SLSA provenance store/verifier experience will be similar to the spdx example?

In the spdx example, the spdx verifier configuration specified a list of allowedLicenses. Will the branch reviewer validation for the provenance likely to be specific to individual image verification?

susanshi avatar Apr 14 '22 23:04 susanshi

Hi @sozercan ,we had a discussion around this item in our community meeting. We have a item tracking OPA policy integration. We want to build a general json verifier based on OPA Policy integration. (verification as OPA policy). This would avoid building specific verifier that is schema dependent. Does this align with your vision?

susanshi avatar Apr 20 '22 19:04 susanshi

We also discussed another passthrough option where ratify can return a report and keep the decision in keep based on rego policy

susanshi avatar Apr 27 '22 21:04 susanshi

Options are different personas here; for ratify, it would be admin while handing in rego is policy author as a Gatekeeper external data provider.

If ratify wants to validate SLSA provenance standalone (without GK or with other tools), then ratify will need a verifier for this.

sozercan avatar May 03 '22 19:05 sozercan

This might be something that could be leveraged: https://github.com/slsa-framework/slsa-verifier

jeremyrickard avatar Apr 11 '23 02:04 jeremyrickard