slsa-framework
SLSA provenance generator for Jenkins
As long as I know, even though a provenance can be generated by using CI/CD like Github-Actions and Gitlab CI, It seems there is no reference or best practice for Jenkins CI yet.
I also checked @MarkLodato's comment regarding several ways to generate provenance.(https://github.com/slsa-framework/slsa/issues/185#issuecomment-946733812)
So we, Samsung Research Security Team are creating the Jenkins plugin and a guide to generate the provenance with it.
I think our work would help the people who are starting and applying the SLSA to the Jenkins.
Is this work currently open source? Is there any additional info on it? If it is open source I believe there probably would be some desire to collaborate.
Separately, I believe there are others who are also working on similar plugins and work to create SLSA provenance generators for Jenkins. I don't remember who is working on it though.
@mlieberman85, Yes, it is an open source. We just finished a draft version. Now we are working on testing a generator and creating a how-to guide.
And we are looking for a proper repository to contribute. I think it would be better to create a repository in "github.com/slsa-framework" like the Azure DevOps SLSA provenance generator(https://github.com/slsa-framework/azure-devops-demo) to collaborate with others and to get reviews. We would like to collaborate with people who are interested in the Jenkins SLSA provenance generator too.
Could you let me know the person who is charge of manage repositoires if you know?
@HyuckjunChoi We chatted about this on Slack, but you have now created the plugin and would like to contribute it directly to SLSA. Can you link the plugin here in this issue?
@MarkLodato @joshuagl - what would the process be for deciding on whether or not to take in the Jenkins plugin directly into SLSA org?
@mlieberman85 Sure, this is the SLSA provenance generator for Jenkins. https://github.com/Samsung/slsa-jenkins-generator
@HyuckjunChoi @mlieberman85 - It will be great to add Jenkins support for SLSA generator/verifier. Process-wise, should just would need reviews from steering committee and other SLSA generator folks.
@asraa @laurentsimon @ianlewis - can help with reviews/validating integration.
@MarkLodato @joshuagl - what would the process be for deciding on whether or not to take in the Jenkins plugin directly into SLSA org?
I think if we have sufficient votes of @slsa-framework/slsa-steering-committee that would work. I'm OK with this.
Apologies for the delayed response here, I thought I had replied already 🤦♂️
I agree that approval by a majority of @slsa-framework/slsa-steering-committee members is an appropriate way to handle projects joining the org, perhaps as a vote in an issue on the governance repo?
I filed https://github.com/slsa-framework/governance/issues/17 to define and document a process and expectations.
@joshuagl Is this feature going to be supported by SLSA? If yes, may I know the ETA?
We are also looking similar thing, which is "A Jenkins plugin or some package to support automatically creating the provenance at each and every step of the Jenkins pipeline (like provenance should include all the details of what is happening in the step) and a way to verify attestations individually based on some reference. Some way to create the province file which can fulfill the SLSA 1/2/3/4"
You might want to take a look at: https://github.com/jenkinsci/in-toto-plugin as well. They have done some of this for in-toto
It would be great if you guys can provide the option to generate salsa2 provenance from Jenkins.
Small request, this feature should be flexible enough to generate provenance for any type of trigger. Not only using Generic Webhook Trigger Plugin.
Sorry i have been slow on issues lately, but i am super excited to see https://github.com/slsa-framework/slsa-jenkins-generator
https://github.com/slsa-framework/slsa-jenkins-generator has been donated to the OpenSSF by Samsung and moved into the salsa-framework organisation. I think we are good to close this issue?
@HyuckjunChoi - can you write a short community blog on https://slsa.dev/blog about this new feature, how to use it and any potential projects that started using it ?
@inferno-chromium Thanks for your suggestion. I can write a blog on https://slsa.dev/blog about this feature and I think it is a good opportunity to announce the slsa-jenkins-generator.
@inferno-chromium Thanks for your suggestion. I can write a blog on https://slsa.dev/blog about this feature and I think it is a good opportunity to announce the slsa-jenkins-generator.
Yes that would be great. It could be good to give some insights on future work / current limitations. Do you have any plans to achieve higher SLSA level compliance (non-falsifiable provenance ?) in Jenkins (via plugins or something).
@inferno-chromium Thanks for your suggestion. I can write a blog on https://slsa.dev/blog about this feature and I think it is a good opportunity to announce the slsa-jenkins-generator.
Yes that would be great. It could be good to give some insights on future work / current limitations. Do you have any plans to achieve higher SLSA level compliance (non-falsifiable provenance ?) in Jenkins (via plugins or something).
Yes I agree with you. Currently we are developing the jenkins plugin that would help jenkins users more easily generate provenance and we are also planning to develop the generator meets higher SLSA level requirements. I think it would be better to include these plans on a blog.
@inferno-chromium I would appreciate it if you could let me know where I can upload a draft blog post. I think it is here, right? https://github.com/slsa-framework/slsa/tree/main/docs/_posts
@HyuckjunChoi That's the right place. You should be able to write the post for a future date and generate it with jekyll --unpublished --future
