slsa-github-generator

slsa-github-generator copied to clipboard

[feature] Generic container workflow

1

A container workflow similar to the generic workflow that allows users to build a container themselves in the user workflow and then generate provenance for it. - [x] Add container...

ianlewis

[feature] SLSA Go builds tarball for builds

3

**Describe the bug** The SLSA builder used in https://github.com/ossf/scorecard/issues/2024 had stopped creating tarballs. We need tarballs.

naveensrinivasan

[docs] Update docs for generic and container generator release

3

Update docs to use the release tags etc.

ianlewis

[docs] Verification with sigstore-policy-controller

4

Document examples using [sigstore-policy-controller](https://docs.sigstore.dev/policy-controller/overview) to verify provenance.

ianlewis

[docs] Generate provenance for containers and store in ghcr.io

3

ianlewis

[docs] Verifying provenance with OPA

2

Docs on verifying provenance generated by the generic workflow with [Open Policy Agent](https://www.openpolicyagent.org/)

ianlewis

Examples on using generic provenance for containers

26

- [ ] Example for generating provenance and storing in ghcr.io (#390) - [ ] Examples of policy verification with [Kyverno](https://kyverno.io/) (#389) - [ ] Examples of policy verification with...

ianlewis

feat: add configurable rekor address to workflows

15

Signed-off-by: Asra Ali Completes https://github.com/slsa-framework/slsa-github-generator/issues/372 to allow workflow inputs for go and generic.

asraa

Support for multiple Go builds

4

Our current config file is inspired by goreleaser's config file but was simplified to show feasibility of the approach. We need to enhance the config file to support multiple builds....

laurentsimon

GitHub action for common tasks

14

Across reusable workflows, we need: - [x] Checkout the repo at the right ref (#49) - [x] Build the builder - [x] Download-verify the builder - [ ] Declaration of...

laurentsimon