slsa-verifier
slsa-verifier copied to clipboard
slsa-framework
Verify provenance from SLSA compliant builders
In certain scenario, a user may not know what the builder is. Example: someone create a monitoring service to monitor provenance changes for packages. The builder *may* change (and have...
We should try to turn on this option if possible, stapling or anything the server supports.
Let's add a section in the README to call out which parts of the code follow semver: the CLI arguments and behavior. Currently no guarantees on CLI output and API.
In https://github.com/slsa-framework/slsa-verifier/pull/257, I added support for builder tag verification. All the existing generic container tests use a builder pinned at `@main`. It works because of the exception for example-package repository....
@laurentsimon brought up that GCB has 3 build IDs that may depend on how the build was configured. We can consider supporting a wildcard matching (maybe not fully expressive regex...
I'm seeing some warnings when using the git command: ``` remote: warning: See http://git.io/iEPt8g for more information. remote: warning: File 278574a27b5008ce50cfe31c787cd00f0d7e6ea4 is 54.86 MB; this is larger than GitHub's recommended...
type confusion in https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296 I don't think we explicitly check for this... but we check for builders who only support SLSA attestation. Still, let's make the check more explicit, unless...
I was looking at the changelog for [`v2.0.0-rc.0` release candidate](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.0.0-rc.0) and couldn't figure out the breaking change that is resulting in a major version bump. I think using the `Breaking...
Metadata
Owner
Metadata
Verify provenance from SLSA compliant builders