slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
GitHub actions don't validate that inputs were passed to an action even if the input is marked as required. We should be more strict about input checking and produce errors...
Getting the generated test data for new releases can be scripted to download it from the GHA runs and copy them into the right place in the slsa-verifier repo. For...
I added an input for the digest from push to registry. Add verification method to confirm it is same from pull from same registry.
Non hermetic Bazel builds that call installs before build process are not supported currently. A proposed fix to this, is to include an input for a path to a Github...
Now that most BYOB builders will build SLSA v1.0 we should probably update the PROVENANCE_FORMAT.md doc to reflect generation of v1.0 provenance.
Add an [`actions/stale`](https://github.com/actions/stale) workflow that will mark old issues and PRs as stale and close them.
**Describe the solution you'd like** Provenance statements generated by the container-based generator contain the GitHub context. Is it possible to include the Git commit timestamp in it too. Alternatively, it...
v1.8.0 should be used in https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.delegator.default.verify.sh#L39
We have a lot of directory traversal checks across all the actions and workflows. We should consolidate these checks into a some kind of library that can be re-used. We...
Currently the container-based workflow generates provenance with an `.intoto.build.slsa` extension. We should remove the `.intoto` part to make it consistent with other builders.
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions