slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
SLSA 1.0 recommends generating one provenance file per artifact file, rather than a single file with multiple artifact signatures. https://slsa.dev/spec/v1.0/distributing-provenance > The provenance SHOULD have a filename that is directly...
https://slsa.dev/provenance/v1#builddefinition states for `internalParameters`: > There is no need to [verify](https://slsa.dev/spec/v1.0/verifying-artifacts) these parameters because the build platform is already trusted, and in many cases it is not practical to do...
We currently use `externalParameters.workflow` for generators. There is WIP to better define how to report this, and maybe have it under resolvedDependencies with annotations.
Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/8761864099 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml Trigger: schedule Branch: main Date: Sat Apr 20 02:16:19 UTC 2024
Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/9135628759 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml Trigger: workflow_dispatch Branch: main Date: Sat May 18 00:07:26 UTC 2024
# Summary Adds a BYOB Move builder. Move is a programming language developed by Facebook (now Meta) for the Libra blockchain project, which was later rebranded as Diem. Designed specifically...
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/pelletier/go-toml](https://togithub.com/pelletier/go-toml) | `v1.9.5` -> `v2.2.3` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/)...
Renovate doesn't seem to update transitive dependencies unless a direct dependency is updated. This means some transitive dependencies with vulnerabilities could go a while before being updated. https://docs.renovatebot.com/configuration-options/#lockfilemaintenance
**Is your feature request related to a problem? Please describe.** GitHub [recently released](https://github.blog/changelog/2024-05-02-artifact-attestations-public-beta/) [Artifact Attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds) as a new feature. It seems to overlap with the generators here, although I'm not...
**Is your feature request related to a problem? Please describe.** `builder_go_slsa3.yml` is a reuseable workflow, so I cannot set environment variable when use it > Any environment variables set in...
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions