behnazh-w
commented
1 month ago Linking to example SLSA provenances, VSAs, and tools that can process them is crucial and deserves more attention. Here’s a list of the build types we’ve encountered so far in the Macaron project:
Build Types
-
SLSA GitHub Provenance Generator:
https://github.com/slsa-framework/slsa-github-generator/generic@v1 -
GitHub Artifact Attestation and npm Provenances:
https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1https://github.com/npm/cli/gha/v2
-
Google Cloud Build:
https://slsa-framework.github.io/gcb-buildtypes/triggered-build/v1 -
Witness Provenances:
https://witness.testifysec.com/attestation-collection/v0.1
Additional Resources
To further assist users in discovering existing tools that support SLSA, I propose the following:
-
Dedicated Repository: Create a repository for information about tools that support SLSA, similar to CycloneDX.
-
Related Issue: For more context, see Issue #1118.
ramonpetgrave64
Recently @nicoleschwartz shared this query and these docs to provide example SLSA provenance and VSAs.
It occurred to me that we don't have those examples linked to from this repo, and that would be pretty handy?
We don't exactly have a great place to do that at the moment (though we do index some build types).
Any thoughts on how to make examples like this more discoverable?