slsa-github-generator

slsa-github-generator copied to clipboard

We don't have Python example yet. It would be great to add one in https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/generic#integration-with-other-build-systems @sethmlarson would you be interested in adding your example?

laurentsimon

Which ecosystem to target next? (please vote)

7

The team are looking for the right ecosystem to target next and build a level 3 builder for. Please use this issue to vote for the ecosystem you care about....

joshuagl

Update dependency @vercel/ncc to v0.34.0

3

[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@vercel/ncc](https://togithub.com/vercel/ncc) | [`0.31.1` -> `0.34.0`](https://renovatebot.com/diffs/npm/@vercel%2fncc/0.31.1/0.34.0) | [](https://docs.renovatebot.com/merge-confidence/)...

renovate-bot

[feature] Reduce latency during inclusion proof validation

1

The log entry https://github.com/slsa-framework/slsa-github-generator/blob/main/signing/sigstore/rekor.go#L68 has the information for validating the inclusion proof, so we should be able to just do: ```go logEntry, err := cosign.TLogUploadInTotoAttestation(ctx, rekorClient, att.Bytes(), []byte(string(att.Cert()))) ... err...

laurentsimon

[feature] e2e tests for container generator workflow

1

- [x] Different triggers (push, workflow_dispatch, schedule, new-tag) - [x] push - https://github.com/slsa-framework/example-package/pull/93 - [x] schedule - https://github.com/slsa-framework/example-package/pull/91 - [x] workflow_dispatch - https://github.com/slsa-framework/example-package/pull/94 - [x] tag - https://github.com/slsa-framework/example-package/pull/95 - [...

ianlewis

[feature] move TS version updates to 1/month

1

See discussion https://github.com/slsa-framework/slsa-github-generator/pull/646#issuecomment-1203339093

laurentsimon

[bug] verification error during build for Go builder

3

Scorecard build failed https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true: ``` Fetching the builder with ref: refs/tags/v1.0.0 Builder version: v1.0.0 BUILDER_REPOSITORY: slsa-framework/slsa-github-generator verifier hash computed is 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd verifier hash verification has passed panic: error getting targets...

laurentsimon

Github Job only producing one intoto.jsonl file

20

I have Github build running which is building three docker images, for each docker image I want attestation.intoto.jsonl file but I am only getting one file in Artifacts. Is it...

zurrehma

[bug] The git status is dirty for releases

5

**Describe the bug** With `go 1.18` the build info https://pkg.go.dev/debug/buildinfo@master is embedded within the binary. I used this example source code to investigate the buildinfo ``` package main import (...

naveensrinivasan

Add some docs and samples of using cosign to verify provenance using cosign w/ cue policy (rego seems to not really be supported as much).

ianlewis