-
Provenance generation can be shared across ecosystems, except for some inputs like `buildConfig` and `parameters` that should be provided by ecosystem-specific builders.
We need to refactor the cod…
-
### Describe the bug
Flattening (some) OCI images fails with the following error:
```console
$ crane flatten docker.io/svvac/test-images:crane-flatten
2023/04/04 13:59:34 pushed blob: sha256:5…
-
This should prevent #23 from re-ocurring again.
If #38 lands as it is, with `gazelle`, we could even attempt to automatically fix the Bazel build when Go deps are updated/new ones are added.
-
We need e2e tests. We will need to create test repos that generate provenance and verify via `schedule` events; and report an issue automatically if they fail
-
We need to organize docs by workflow.
- README.md - base readme for the project. Links to docs for individual workflows
- builders/go/README.md - Doc for Go builder.
- builders/slsa/README.md…
-
The ["build as code" requirement](https://slsa.dev/spec/v0.1/requirements#build-as-code) currently states that build definitions and configuration must be stored in version control, however there may …
-
Currently the hashes of the artifacts passed between jobs are [validated](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/builder_go_slsa3.yml#L256-L258) using:
``…
-
I interpreted this repository as a go commandline tool to generate a GitHub workflow boilerplate.
- Is it a code generator?
- Is it provenance?
- Is it an example using Go?
- …
-
test for e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml
-
There's a recent attack that manages to re-name repositories https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e, which would bypass the current provenance verification.
…