slsa
slsa copied to clipboard
slsa-framework
Supply-chain Levels for Software Artifacts
This issue is for tracking and building consensus on what will go in the next version of the provenance spec, tentatively called v1.0. ### Current proposal [Schema changes](https://github.com/slsa-framework/slsa/issues?q=is%3Aopen+is%3Aissue+label%3Aspec-change+label%3Aprovenance): - #349...
GitHub Actions + Sigstore can be used to sign artifacts with an X.509 certificate containing the workflow's identity (repository + path + branch/tag). This works by having the workflow request...
This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more.[View this repository on the Mend.io Web Portal](https://developer.mend.io/github/slsa-framework/slsa). ## Config Migration Needed - [ ]...
![forking-renovate[bot] avatar](https://avatars.githubusercontent.com/in/7402?v=4 "forking-renovate[bot] avatar"){kind=avatar}
In general, how should a builder record information about its own version in the provenance? From @laurentsimon on https://github.com/in-toto/in-toto-golang/issues/159 (with edits from me): > The [provenance](https://slsa.dev/provenance/v0.2) `builder` field only contains...
The Verification Summary Attestation should list the input attestations that it used as inputs to the decision. This gives us traceability and repeatability of the process. I'm thinking something like:...
PR #141 introduced a *Identifies build instructions* requirement at L1+ that states: > If build-as-code is used, this SHOULD be the source repo and entry point of the build config...
Hello, based on your [SLSA SVG badge](https://github.com/slsa-framework/slsa/blob/main/docs/images/gh-badge-level3.svg) I created a [shields.io](https://shields.io/) badge [](https://slsa.dev/) which is this URL: ``` https://img.shields.io/badge/SLSA-level%203-green?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAOCAMAAAAolt3jAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAABMlBMVEXvMQDvMADwMQDwMADwMADvMADvMADwMADwMQDvMQDvMQDwMADwMADvMADwMADwMADwMQDvMQDvMQDwMQDvMQDwMQDwMADwMADwMQDwMADwMADvMADvMQDvMQDwMADwMQDwMADvMQDwMADwMQDwMADwMADwMADwMADwMADwMADvMQDvMQDwMADwMQDwMADvMQDvMQDwMADvMQDvMQDwMADwMQDwMQDwMQDvMQDwMADvMADwMADwMQDvMQDwMADwMQDwMQDwMQDwMQDvMQDvMQDvMADwMADvMADvMADvMADwMQDwMQDvMADvMQDvMQDvMADvMADvMQDwMQDvMQDvMADvMADvMADvMQDwMQDvMQDvMQDvMADvMADwMADvMQDvMQDvMQDvMADwMADwMQDwMAAAAAA/HoSwAAAAY3RSTlMpsvneQlQrU/LQSWzvM5DzmzeF9Pi+N6vvrk9HuP3asTaPgkVFmO3rUrMjqvL6d0LLTVjI/PuMQNSGOWa/6YU8zNuDLihJ0e6aMGzl8s2IT7b6lIFkRj1mtvQ0eJW95rG0+Sid59x/AAAAAWJLR0Rltd2InwAAAAlwSFlzAAAOwwAADsMBx2+oZAAAAAd0SU1FB+YHGg0tGLrTaD4AAACqSURBVAjXY2BgZEqGAGYWVjYGdg4oj5OLm4eRgZcvBcThFxAUEk4WYRAVE09OlpCUkpaRTU6WY0iWV1BUUlZRVQMqUddgSE7W1NLS1gFp0NXTB3KTDQyNjE2Sk03NzC1A3GR1SytrG1s7e4dkBogtjk7OLq5uyTCuu4enl3cyhOvj66fvHxAIEmYICg4JDQuPiAQrEmGIio6JjZOFOjSegSHBBMpOToxPAgCJfDZC/m2KHgAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMi0wNy0yNlQxMzo0NToyNCswMDowMC8AywoAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjItMDctMjZUMTM6NDU6MjQrMDA6MDBeXXO2AAAAGXRFWHRTb2Z0d2FyZQB3d3cuaW5rc2NhcGUub3Jnm+48GgAAAABJRU5ErkJggg== ``` Unfortunately, the logo is embedded into the link as a...
As long as I know, even though a provenance can be generated by using CI/CD like Github-Actions and Gitlab CI, It seems there is no reference or best practice for...
As we work to clarify the intent and requirements for SLSA 1-3, several folks have suggested to revisit how source requirements are treated. One suggestion is to more clearly separate...
**Objective**: Assess additional frameworks raised in the [7/26 SLSA Positioning SIG meeting](https://docs.google.com/document/d/1tpPOXVzNSwtpWA7cXhTPLAO6HIP50obUvoP85XqgVHM/edit# ). **Outcomes**: - Identify common criteria for assessing various frameworks - Assessing the following frameworks/standards in relation to...
Metadata
Owner
Metadata
Supply-chain Levels for Software Artifacts