Skip to main content

Artifact SLSA provenance attestation

The following rule type is available for checking that an artifact has a valid SLSA attestation and its provenance information conforms to a policy.

stacklok/artifact_attestation_slsa - Verify the integrity of an artifact using SLSA

This rule allows you to verify that an artifact has a valid SLSA attestation and that the provenance information is correct.

Entity

  • artifact

Type

  • stacklok/artifact_attestation_slsa

Rule Parameters

The stacklok/artifact_attestation_slsa rule supports the following parameters:

  • tags (array) - The tags that should be checked for signatures. If not specified, all tags will be checked. If specified, the artifact must be tagged with all the specified tags in order to be checked.

  • tag_regex (string) - A regular expression specifying the tags that should be checked for signatures. If not specified, all tags will be checked. If specified, the artifact must be tagged with a tag that matches the regular expression in order to be checked.

  • name (string) - The name of the artifact that should be checked for signatures. If not specified, all artifacts will be checked.

  • type (enum) - The type of artifact to check.

    • container - A container image

  • sigstore (string) - The URL of the sigstore TUF root to use for verification. The default value is tuf-repo-cdn.sigstore.dev.

    It is an error to specify both tags and tags_regex.

Rule Definition Options

The stacklok/artifact_attestation_slsa rule has the following options:

  • event (array) - Events allowed to trigger a build. Default is ["workflow_dispatch", "push"].
  • workflow_repository (string) - Repository expected to produce the artifact, i.e., https://github.com/stacklok/minder
  • workflow_ref (string) - The git reference of the executed workflow, i.e., refs/heads/main
  • signer_identity (string) - The identity of the signer of the artifact, e.g. a workflow name like docker-image-build-push.yml for GitHub workflow signatures or an email address
  • runner_environment (string) - The environment that the artifact was built in, i.e. hosted-runner or self-hosted-runner. Set to github-hosted to check for artifacts built on a GitHub-hosted runner.