-
Hello, based on your [SLSA SVG badge](https://github.com/slsa-framework/slsa/blob/main/docs/images/gh-badge-level3.svg) I created a [shields.io](https://shields.io/) badge
[![slsa](https://img.shie…
-
npm now supports SLSA v1.0 so we should support generating v1.0 by default in the builder.
- [ ] Support for SLSA v1.0 in Node.js builder by default
- [ ] e2e tests for Node.js builder with SLSA v…
-
Hey, I'm Pedro and I'm working on behalf of Google and the [Open Source Security Foundation][ossf] (OpenSSF). Given the significant [increase in supply-chain attacks][sonatype], the OpenSSF is focused…
-
**Describe the problem/challenge you have**
Currently, the artefacts produced by the different Carvel projects (binaries, images, bundles) are not signed. It would be nice if they were all signed t…
-
**Description**
SLSA GitHub generators use Sigstore signing to sign releases. Trusted builders use their GH provided OIDC identity to sign. The source repository is contained inside OID extensions,…
-
Tests often fail with the following error. This seems to be due to [`go install`](https://github.com/slsa-framework/example-package/blob/7d18190b5538def004fb4be8d6f26969b0485155/.github/workflows/scri…
-
Investiate slsa provenance generation https://slsa.dev/provenance/v1
-
This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
This repository currently has no…
-
This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.
## Open
These updates have all …
-
The following step in the workflow always seems to fail for quite a while: https://github.com/jetstack/jetstack-secure/blob/master/.github/workflows/release-master.yml#L95-L100
We don't see it beca…