slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[discussion] Revisit `internalParameters`

Open ianlewis opened this issue 2 years ago • 0 comments
trafficstars

https://slsa.dev/provenance/v1#builddefinition states for internalParameters:

There is no need to verify these parameters because the build platform is already trusted, and in many cases it is not practical to do so.

This brings up whether our use of internalParameters is correct. We need to verify some information from the internal parameters. It's currently used by builderTriggerInfo which is then used to get the source URI and workflow path for verification. We also verify a number of values from these parameters.

We add most GITHUB_* environment variables to these parameters since they are set by GitHub Actions and not directly by the user but perhaps some like GITHUB_REPOSITORY should actually be considered under the user's control and be set in the externalParameters?

/cc @laurentsimon @asraa

Related to #2186, #1200

ianlewis avatar Jun 02 '23 06:06 ianlewis