-
In #1191 @zachariahcox says
On
> > *Threat:* Replace the package with one built using an unofficial CI/CD pipeline
that does not build in the correct way.
> >
> > *Mitigation:* Verifier requir…
-
Should be more straightforward now with the new "[Bring your own Builder](https://slsa.dev/blog/2023/08/bring-your-own-builder-github)" feature.
Since we're likely to want SLSA build provenance lat…
-
see: https://github.com/slsa-framework/slsa-github-generator/blob/3d27f18a67e12a251517ca9af35771a93da39526/internal/builders/generic/README.md
see: https://security.googleblog.com/2022/04/improving-so…
-
Recently @nicoleschwartz shared [this query](https://platform.activestate.com/sv/buildplanner/graphql?_ga=2.150203056.708135455.1727384512-132845242.1652072644&query=query%20slsa%20%7B%0A%20%20project…
-
My colleague @facutuesca observed this bug with the `generator_generic_slsa3.yml` action.
**Describe the bug**
In SLSA 0.1 and 0.2, `buildInvocationId` is spelled with a lowercase "d":
Si…
-
The artifact a VSA applies to is identified using the `resourceUri` in the attestation predicate (per https://slsa.dev/spec/v1.0/verification_summary#fields). Should the VSA spec add guidance about ho…
-
example scenario: check if an image was built from a specific repo, with a specific branch/commit, include certain reviewers, etc
https://slsa.dev/provenance/v0.2
-
### What would you like to be added?
Please add [SLSA provenance ](https://slsa.dev/)to your releases.
It is easy to do on on Github:
https://github.com/slsa-framework/slsa-github-generator/blo…
-
Thank you for your work on dragonfly.
However, given the nature of the modern world we live in, it would be nice if you could add [SLSA provenance](https://slsa.dev/) to your releases.
This coul…
-
With https://github.com/slsa-framework/slsa-github-generator we should be able to build SLSA-compliant provenance. I can then look into what else we need to do to reach SLSA Level 3.