This repository contains tools for generating non-forgeable SLSA provenance on GitHub that meets the build and provenance requirements for SLSA level 3 and above.
Use of the provided Github Actions reusable workflows only is not sufficient to meet all of the requirements at SLSA level 3. Specifically, the source requirements are not covered by these workflows and must be handled explicitly to meet all requirements at SLSA level 3+.
This repository contains the code, examples and technical design for system described in the blog post on Non forgeable SLSA provenance using GitHub workflows.
To generate SLSA provenance for your Go project, follow internal/builders/go/README.md.
To generate SLSA provenance for other programming languages, follow internal/builders/generic/README.md. This is a pre-release only and we will have the official release in July 2022.
To verify the provenance, use the github.com/slsa-framework/slsa-verifier project.
To install the verifier, see slsa-framework/slsa-verifier#installation.
The inputs of the verifier are described in slsa-framework/slsa-verifier#available-options.
A command line example is provided in slsa-framework/slsa-verifier#example.
Find our blog post series here.
For a more in-depth technical dive, read the SPECIFICATIONS.md.
The format of the provenance is available in PROVENANCE_FORMAT.md.