use slsa-framework Generators to provide SLSA provenance to be compliant with SLSA Level 3

aquasecurity / tracee

Linux Runtime Security and Forensics using eBPF

https://aquasecurity.github.io/tracee/latest

Apache License 2.0

3.58k stars 416 forks source link

use slsa-framework Generators to provide SLSA provenance to be compliant with SLSA Level 3 #3211

Open developer-guy opened 1 year ago

developer-guy commented 1 year ago

SLSA Framework organization provides a bunch of generators (Trusted Go builder^1, Generic Generator^2, Container Generator^3) today and all of them were announced as GA^4 pretty recently. So, we can use these generators to generate SLSA provenance to be compliant with SLSA Level 3 without much toil.

I'm willing to work on this!

rafaeldtinoco commented 1 year ago

@itaysk and @yanivagman for awareness and directions.

itaysk commented 1 year ago

Hi @developer-guy and thanks for the suggestion! I would prefer to wait with this one. tracee's build process is quite complex compared to any other "regular" go application and is still evolving so I do anticipate this adding some kind of maintenance burden. If we got enough evidence that users required it we would consider but that's not the case right now.