achrinza
commented
1 year ago There are three ways to achieve SLSA levels of assurance:
| Method | SLSA Security Level | SLSA Provenance Statement Version | Accepted by NPM Registry? | Status |
|---|---|---|---|---|
Standalone npm provenance |
Build L2 | v1.0 | Yes | Stable |
| SLSA Node.js Builder | Build L3 | v0.2 | Yes | Beta |
| GitHub Artifact Attestation | Build L2 | ??? | ??? | ??? |
SLSA Build L2 vs L3
SLSA Build L2 only guarantees the authenticity of subject of the provenance document - This means that we can only guarantee that the provenance was created within a Github-hosted runner, but we can't guarantee that the contents of the provenance is accurate. This meaans that L2 is useful for preventing post-build tamper, but not during-build tamper.
SLSA Build L3 extends L2 by enforcing during-build tamper through a security boundary. This makes the provenance unforgeable.
Standalone npm provenance
TODO
SLSA Node.js Builder
This is an "official" builder which is builds on the BYOB framework.
Limitations
- https://github.com/slsa-framework/slsa-github-generator/issues/1679
- https://github.com/slsa-framework/slsa-github-generator/issues/2499
- https://github.com/slsa-framework/slsa-verifier/issues/12 see also: https://github.com/slsa-framework/slsa-github-generator/blob/9f6e07629b3958792b6a8fc59999d6dc65862f11/RENOVATE.md
GitHub Artifact Attestation
TODO
see: https://github.com/slsa-framework/slsa-github-generator/issues/3618#issuecomment-2153663634
General Limitations
- Pending release: GitHub Actions Immutable Actions see: https://github.com/orgs/community/discussions/123969 see: https://github.com/orgs/community/discussions/138249
see: https://github.com/slsa-framework/slsa-github-generator/blob/3d27f18a67e12a251517ca9af35771a93da39526/internal/builders/generic/README.md see: https://security.googleblog.com/2022/04/improving-software-supply-chain.html