slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

SLSA-Verifier Support Azure Devops

Open 1649899 opened this issue 2 years ago • 4 comments

Is "slsa-verifier" can we use in Azure Devops? if yes can you share the steps.

1649899 avatar Dec 05 '22 16:12 1649899

We currently don''t support Azure. Can you point us to the relevant documentation? Note tat I'm not aware of Azure generating provenance today, but I could be wrong.

laurentsimon avatar Dec 05 '22 18:12 laurentsimon

We currently don''t support Azure. Can you point us to the relevant documentation? Note tat I'm not aware of Azure generating provenance today, but I could be wrong.

here is the extension - https://marketplace.visualstudio.com/items?itemName=gattjoe.SLSAProvenanceGenerator

1633605 avatar Dec 06 '22 05:12 1633605

Thanks. We're trying to onboard builders that are level 3 above, since for level 1 builders, there is nothing to verify, ie tampering is not guaranteed. Do you know if higher levels will be possible?

laurentsimon avatar Dec 06 '22 16:12 laurentsimon

+1

Are you looking to validate the SLSA 1 provenance against a policy? If so, then using a policy validator is best here. The main responsibility of slsa-verifier is to validate the provenance cryptographically using SLSA 3 builder keys and then verify against a minimal authorization (source repo, tags, etc)

asraa avatar Dec 06 '22 16:12 asraa