Behnaz Hassanshahi
Behnaz Hassanshahi
**Describe the bug** For complex projects that include multiple modules or packages, the number of subjects and size of `base64-subjects` can easily grow larger than [the allowed size](https://stackoverflow.com/questions/1078031/what-is-the-maximum-size-of-a-linux-environment-variable-value) of command-line...
### Describe the bug The [B202:tarfile_unsafe_members](https://bandit.readthedocs.io/en/latest/plugins/b202_tarfile_unsafe_members.html) documentation says to pass a callable as the `members` argument but that’s not supported in [the official type signature](https://github.com/python/typeshed/blob/1d7f0d087b36d07ce34edca5ab119fdaabf7aed7/stdlib/tarfile.pyi#L295) and not implemented in [CPython...
The trustworthiness of provenances in Build L2 needs clarification. The requirement [states](https://slsa.dev/spec/v1.0/levels#build-l2) that the trustworthiness of the provenance is ensured. However, without hardening the build platform, this requirement will not...
Moving [the discussion on the slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/issues/2344) repository here for broader visibility. According to SLSA v1.0, Build L3: Hardened builds > Provides strong confidence that the package was built from the...
According to SLSA v1.0, Build L3: Hardened builds > Provides strong confidence that the package was built from the official source and **build process**. Based on this statement, my question...
The provenance generation on [micronaut-core](https://github.com/micronaut-projects/micronaut-core/actions/runs/6039112753/job/16391009301) repository has failed after [updating](https://github.com/micronaut-projects/micronaut-core/actions/runs/6039112753/workflow#L137) the provenance generator to v1.9.0 (and the error message is not helpful for debugging). Looking into the logs, it fails...
For GitHub projects that enforce an allow-list for third-party GitHub Actions, like [Macaron](https://github.com/oracle-samples/macaron), it would be necessary to avoid calling the third-party GitHub Actions in the provenance generator and instead...
I was looking at the changelog for [`v2.0.0-rc.0` release candidate](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.0.0-rc.0) and couldn't figure out the breaking change that is resulting in a major version bump. I think using the `Breaking...
We need to implement a new feature to obtain the GitHub Actions workflow that has triggered a build/replease from the SLSA provenance (or build command from the Witness provenance) and...