mlieberman85
commented
2 years ago I think we should clarify it a bit. The intent is to just ensure that the code describing a build has adequate provenance that can be traced back through some process involving approvals, trusted identities etc. However as written I agree that it really seems to indicate only build coming straight from source would count.
I think Tekton Bundles and similar do count as long as you have some way to trace those bundles back to the source. We plan to do something similar for "ssf" which uses Tekton and the idea would be to have SLSA provenance attestations for the Tekton bundles themselves and so the bundle would have the source as "materials"
joshuagl
MarkLodato
The "build as code" requirement currently states that build definitions and configuration must be stored in version control, however there may be other ways to meet this requirement.
The spirit of the requirement seems to be that ultimately the definition should still be traceable back to version control but perhaps it can also be met by build definitions which are published from there to an intermediate location - for example Tekton has the concept of a Tekton Bundle which is Tekton Task or Pipeline definitions that have been published to an OCI registry.
It would be great to update the "build as code" requirement to make it clear that while ultimately the origin of the build definition should be traceable back to version control (e.g. via provenance stored in the same OCI registry in the case of Tekton Bundles), not that the definition must have been fetched directly from version control.
(More context available in SLSA + Tekton: Case Study - the doc is visible to anyone in mailing list slsa-discussion@googlegroups.com )