{"id":29251651,"url":"https://github.com/janfuhrer/podsalsa","last_synced_at":"2025-07-04T01:08:08.422Z","repository":{"id":232262685,"uuid":"783873896","full_name":"janfuhrer/podsalsa","owner":"janfuhrer","description":"Sample Go application project with supply chain security workflows conforms to the SLSA Build Level 3 specification","archived":false,"fork":false,"pushed_at":"2025-06-16T13:24:49.000Z","size":3571,"stargazers_count":6,"open_issues_count":6,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-28T03:45:55.218Z","etag":null,"topics":["cosign","goreleaser","ko","provenance","sbom","slsa","supply-chain-security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/janfuhrer.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-04-08T18:37:33.000Z","updated_at":"2025-03-17T13:31:22.000Z","dependencies_parsed_at":"2024-04-24T09:41:47.357Z","dependency_job_id":null,"html_url":"https://github.com/janfuhrer/podsalsa","commit_stats":null,"previous_names":["janfuhrer/podsalsa"],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/janfuhrer/podsalsa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janfuhrer%2Fpodsalsa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janfuhrer%2Fpodsalsa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janfuhrer%2Fpodsalsa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janfuhrer%2Fpodsalsa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/janfuhrer","download_url":"https://codeload.github.com/janfuhrer/podsalsa/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/janfuhrer%2Fpodsalsa/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263427318,"owners_count":23464844,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cosign","goreleaser","ko","provenance","sbom","slsa","supply-chain-security"],"created_at":"2025-07-04T01:08:07.855Z","updated_at":"2025-07-04T01:08:08.385Z","avatar_url":"https://github.com/janfuhrer.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PodSalsa\n\n[![license](https://img.shields.io/github/license/janfuhrer/podsalsa)](https://github.com/janfuhrer/podsalsa/blob/main/LICENSE)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/janfuhrer/podsalsa/badge)](https://securityscorecards.dev/viewer/?uri=github.com/janfuhrer/podsalsa)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8791/badge?\u0026kill_cache=1)](https://www.bestpractices.dev/projects/8791)\n[![release](https://img.shields.io/github/v/release/janfuhrer/podsalsa)](https://github.com/janfuhrer/podsalsa/releases)\n[![go-version](https://img.shields.io/github/go-mod/go-version/janfuhrer/podsalsa)](https://github.com/janfuhrer/podsalsa/blob/main/go.mod)\n[![Go Report Card](https://goreportcard.com/badge/github.com/janfuhrer/podsalsa)](https://goreportcard.com/report/github.com/janfuhrer/podsalsa)\n[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B44203%2Fgithub.com%2Fjanfuhrer%2Fpodsalsa.svg?type=shield\u0026issueType=license)](https://app.fossa.com/projects/custom%2B44203%2Fgithub.com%2Fjanfuhrer%2Fpodsalsa?ref=badge_shield\u0026issueType=license)\n[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B44203%2Fgithub.com%2Fjanfuhrer%2Fpodsalsa.svg?type=shield\u0026issueType=security)](https://app.fossa.com/projects/custom%2B44203%2Fgithub.com%2Fjanfuhrer%2Fpodsalsa?ref=badge_shield\u0026issueType=security)\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n\n\u003cp align=\"center\"\u003e\n    \u003cimg src=\"./assets/podsalsa-logo-free.png\" alt=\"PodSalsa\" width=\"400\"\u003e\n\u003c/p\u003e\n\n---\n\nPodSalsa is a simple web application that only displays information about the release version of the application, the Git commit, and the build date.\nThe goal of this project is to provide a simple example of a Go application on GitHub with GitHub Actions for building and releasing the application in a secure way. The focus is on providing a summary/documentation of GitHub Actions best practices, code scanning workflows, vulnerability scanning, and techniques for releasing secure software to improve the security of the software supply chain. This project serves as a starting point for developers interested in supply chain security, artifact provenance, and verification.\n\n## Release\n\nEach release of the application includes Go-binary archives, checksums file, SBOMs and container images. \n\nThe release workflow creates provenance for its builds using the [SLSA standard](https://slsa.dev), which conforms to the [Level 3 specification](https://slsa.dev/spec/v1.0/levels#build-l3). Each artifact can be verified using the `slsa-verifier` or `cosign` tool.\n\n| Artifact           | Description                                        | Verification                                                                                                                                   |\n| ------------------ | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |\n| Go-binary archives | Multi-architecture and platform Go-binary archives | [SLSA-Provenance](./SECURITY.md#verify-provenance-of-release-artifacts)                                                                        |\n| Checksums file     | Checksums file of the Go-binary archives           | [Cosign signature](./SECURITY.md#verify-signature-of-checksum-file)                                                                            |\n| SBOMs              | SBOMs of the Go-binary archives                    | [SLSA-Provenance](./SECURITY.md#go-binary-archives)                                                                                            |\n| Container images   | Multi-architecture container images                | [SLSA-Provenance](./SECURITY.md#verify-provenance-of-container-images) \u0026 [Cosign Signature](./SECURITY.md#verify-signature-of-container-image) |\n| SBOMs              | SBOMs of the container images                      | [SLSA-Provenance](./SECURITY.md#container-images)                                                                                              |\n\n## Documentation\n\n\u003e [!NOTE]\n\u003e All the used workflows, security best practices and more related themes (e.g. component analysis, enforcement on Kubernetes) are documented in this repository.\n\u003e Have a look at the [documentation](./docs/) for more information.\n\n## Use Cases\n\nYou can use this project as a reference for securely building and releasing Go applications on GitHub with SLSA Build Level 3 provenance. Feel free to fork this repository and adapt it to your needs, use the workflows and security best practices in your projects.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjanfuhrer%2Fpodsalsa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjanfuhrer%2Fpodsalsa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjanfuhrer%2Fpodsalsa/lists"}