slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
See https://github.com/slsa-framework/slsa-github-generator/pull/35/files#r858908103 Something to try.
**Describe the bug** Improve repository's OpenSSF Scorecard score (currently at 7.1) **To Reproduce** `docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/slsa-github-generator --format=json > scorecard_slsa-framework_slsa-github-generator.json` **Expected behavior** - Branch Protections could be...
Leaks of: 1. `GITHUB_TOKEN` which allows requesting certs from Fulcio. Not sure yet what we can do here, besides hardening our implementation and verifying that the keys don't leak in...
The go project does support hermeticity at the moment by building in 2 steps: 1. Vendoring `go mod vendor` 2. Build with `go build --mod=vendor` However we currently: 1. Do...
We may want to make it easier for users to generate/upload provenance on a registry. Either we do the upload for them, or we properly document how to do it...
This Pull Request: - adds the digest input - Fix: attestation generation (adds the missing subjects) - remove already set env variables co-authored-by @jobroe10 We made these changes while using...
Document examples using [Connaisseur](https://sse-secure-systems.github.io/connaisseur/v2.6.1/) to verify provenance.
I'm not sure this should be handled via an OSSF-org policy or if individual projects needs their own. @david-a-wheeler can you advise?
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions