slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

SLSA verifier as a service

Open laurentsimon opened this issue 2 years ago • 3 comments

To make the verifier accessible to everyone easily, we could have a REST/gRPC API to verify as a service. Possible use cases:

  • OSSF or another org runs a verifier as a service. Note that this requires more thoughts w.r.t authenticity of the results. TLS interception does happen, so we ought to think about signing the results. This quickly becomes complicated if we want to support key rotation.
  • Someone wants to deploy a service on their k8 cluster. Same question here around authenticity of the results. May need some sort of workload identity support
  • Someone wants to deploy a service on their own infra, using a container image

laurentsimon avatar Jul 22 '22 17:07 laurentsimon