-
My colleague @facutuesca observed this bug with the `generator_generic_slsa3.yml` action.
**Describe the bug**
In SLSA 0.1 and 0.2, `buildInvocationId` is spelled with a lowercase "d":
Si…
-
### Contact Details
_No response_
### Is there an existing issue for this?
- [X] I have searched all the existing issues
### What would you like to be added?
make all binary file with S…
-
The artifact a VSA applies to is identified using the `resourceUri` in the attestation predicate (per https://slsa.dev/spec/v1.0/verification_summary#fields). Should the VSA spec add guidance about ho…
-
I am using please build and would love to see some provenance attestation data being output when I run the build. Lately the requests in open source for provenance data is growing and also in the busi…
-
Now this workflow builds and releases assets using GoReleaser in the same job.
But in terms of security, and to meet SLSA Level 3, we should separate build and release jobs.
One of concerns is rel…
-
The 'Dependency Confusion' threat ([link](https://slsa.dev/spec/draft/threats#usage-threats:~:text=Threat%3A%20Register,of%20this%20section)) needs a mitigation section and perhaps examples.
-
- License requirements
- CI/CD
- SLSA?
-
**Description**
I'm trying to use `kubectl-sigstore sign --no-tlog-upload` offline, but I still get the "The sigstore service, hosted by sigstore" warning.
When I try `kubectl-sigstore sign -f v…
-
Part of SLSA level 3 and SSDF PO5.1. Part of this should be to avoid any possible interference from non-build processes to the systems used for building.
There are other technologies which could be u…
-
Fields like `subject-name`, `source-sha1` may be required.
- subject-name is often used for container image
- source-sha1 is useful for commit hash on a repo, but also if source is a tarball / zip f…