{"id":13717765,"url":"https://github.com/slsa-framework/slsa-github-generator","last_synced_at":"2025-05-07T08:30:35.753Z","repository":{"id":36950082,"uuid":"475074978","full_name":"slsa-framework/slsa-github-generator","owner":"slsa-framework","description":"Language-agnostic SLSA provenance generation for Github Actions","archived":false,"fork":false,"pushed_at":"2025-03-18T23:15:48.000Z","size":35985,"stargazers_count":453,"open_issues_count":258,"forks_count":144,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-03-19T00:24:35.457Z","etag":null,"topics":["security","security-hardening","security-tools","slsa","slsaprovenance"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/slsa-framework.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-28T15:57:17.000Z","updated_at":"2025-03-18T23:15:53.000Z","dependencies_parsed_at":"2023-10-17T04:44:18.302Z","dependency_job_id":"950cb547-60f3-4129-a974-d54e05f1fd6e","html_url":"https://github.com/slsa-framework/slsa-github-generator","commit_stats":null,"previous_names":[],"tags_count":39,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slsa-framework%2Fslsa-github-generator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slsa-framework%2Fslsa-github-generator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slsa-framework%2Fslsa-github-generator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/slsa-framework%2Fslsa-github-generator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/slsa-framework","download_url":"https://codeload.github.com/slsa-framework/slsa-github-generator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252842367,"owners_count":21812655,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security","security-hardening","security-tools","slsa","slsaprovenance"],"created_at":"2024-08-03T00:01:26.759Z","updated_at":"2025-05-07T08:30:32.752Z","avatar_url":"https://github.com/slsa-framework.png","language":"Go","funding_links":[],"categories":["Identity, signing and provenance","Security and Supply Chain"],"sub_categories":["Supply chain beyond libraries","Streaming Operations"],"readme":"# SLSA GitHub Generator\n\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/slsa-framework/slsa-github-generator/badge)](https://api.securityscorecards.dev/projects/github.com/slsa-framework/slsa-github-generator)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6503/badge)](https://bestpractices.coreinfrastructure.org/projects/6503)\n[![Go Report Card](https://goreportcard.com/badge/github.com/slsa-framework/slsa-github-generator)](https://goreportcard.com/report/github.com/slsa-framework/slsa-github-generator)\n[![Slack](https://img.shields.io/static/v1?label=openssf.slack.com\u0026message=%23slsa-tooling\u0026color=4A154B\u0026logo=slack)](https://slack.openssf.org/)\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n\n\u003cimg alt=\"SLSA logo\" align=\"right\" src=\"https://slsa.dev/images/logo-mono.svg\" width=\"140\" height=\"140\"\u003e\n\n\u003c!-- markdown-toc --bullets=\"-\" -i README.md --\u003e\n\n\u003c!-- toc --\u003e\n\n- [Overview](#overview)\n - [What is SLSA?](#what-is-slsa)\n - [What is provenance?](#what-is-provenance)\n - [What is slsa-github-generator?](#what-is-slsa-github-generator)\n - [Hall of Fame](#hall-of-fame)\n - [Generation of Provenance](#generation-of-provenance)\n - [Builder Creation](#builder-creation)\n- [Generate provenance](#generate-provenance)\n - [Referencing SLSA builders and generators](#referencing-slsa-builders-and-generators)\n - [Builders](#builders)\n - [Generators](#generators)\n- [Verify provenance](#verify-provenance)\n - [Installation](#installation)\n - [Inputs](#inputs)\n - [Command line examples](#command-line-examples)\n- [Known Issues](#known-issues)\n - [error updating to TUF remote mirror: invalid](#error-updating-to-tuf-remote-mirror-invalid)\n- [Build Your Own Builder](#build-your-own-builder)\n- [Project Roadmap](#project-roadmap)\n- [Technical design](#technical-design)\n - [Specifications](#specifications)\n - [Provenance format](#provenance-format)\n- [Contributing](#contributing)\n\n\u003c!-- tocstop --\u003e\n\n## Overview\n\nThis repository contains free tools to generate and verify SLSA Build Level 3 provenance for native GitHub projects using GitHub Actions.\nDevelopers can build their software using a secure process that protects against many supply chain attacks and tampering.\nUsers of their software can verify a tamper-proof statement of the process to know how the software was created.\n\n### What is SLSA?\n\n[Supply-chain Levels for Software Artifacts](https://slsa.dev), or SLSA (salsa),\nis a security framework, a checklist of standards and controls to prevent\ntampering, improve integrity, and secure packages and infrastructure in your\nprojects, businesses or enterprises.\n\nSLSA defines an incrementally adoptable set of levels which are defined in\nterms of increasing compliance and assurance. SLSA levels are like a common\nlanguage to talk about how secure software, supply chains and their component\nparts really are.\n\n### What is provenance?\n\nProvenance is information, or metadata, about how a software artifact was\ncreated. This could include information about what source code, build system,\nand build steps were used, as well as who and why the build was initiated.\nProvenance can be used to determine the authenticity and trustworthiness of\nsoftware artifacts that you use.\n\nAs part of the framework, SLSA defines a\n[provenance format](https://slsa.dev/provenance/) which can be used to hold this\nmetadata.\n\n### What is slsa-github-generator?\n\nslsa-github-generator is a set of tools for generation of SLSA3+ provenance for\nnative GitHub projects. It allows projects to generate\n[SLSA provenance](https://slsa.dev/provenance/) safely and accurately using\n[GitHub Actions](https://github.com/features/actions).\n\nSpecifically, this repository contains:\n\n- tools for generating non-forgeable SLSA provenance on GitHub for your\n projects. The generated provenance meets the\n [provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) and\n [isolation](https://slsa.dev/spec/v1.0/requirements#isolation-strength)\n requirements for\n [SLSA Build level 3 and above](https://slsa.dev/spec/v1.0/levels). See some\n [popular projects](#hall-of-fame) generating provenance using this project.\n- tools for building a SLSA builder on GitHub using the\n [Build-Your-Own-Builder](#build-your-own-builder) framework. With this\n framework, you can \"wrap\" an existing GitHub Action into a SLSA builder. The\n SLSA builder will generate non-forgeable provenance meeting the\n [provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) and\n [isolation](https://slsa.dev/spec/v1.0/requirements#isolation-strength)\n requirements for\n [SLSA Build level 3 and above](https://slsa.dev/spec/v1.0/levels). See some\n [builders](#builder-creation) created using the BYOB framework.\n\nWhile slsa-github-generator can help you achieve SLSA Build level 3, use of the provided\n[GitHub Actions reusable workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows)\nalone is not sufficient to meet all of the requirements at SLSA Build level 3.\nSpecifically, these workflows do not address provenance\n[distribution](https://slsa.dev/spec/v1.0/distributing-provenance) or\n[verification](https://slsa.dev/spec/v1.0/verifying-artifacts).\nYou can use the [slsa-verifier](#verify-provenance) to verify the provenance.\n\n### Hall of Fame\n\n#### Generation of Provenance\n\nBelow is a non-exhaustive list of projects that use the builders in this repository to generate provenance:\n\n[![flask stars](https://img.shields.io/github/stars/pallets/flask?logo=github\u0026label=pallets/flask)](https://github.com/pallets/flask)\n[![flatbuffers stars](https://img.shields.io/github/stars/google/flatbuffers?logo=github\u0026label=google/flatbuffers)](https://github.com/google/flatbuffers)\n[![grpc-gateway stars](https://img.shields.io/github/stars/grpc-ecosystem/grpc-gateway?logo=github\u0026label=grpc-ecosystem/grpc-gateway)](https://github.com/grpc-ecosystem/grpc-gateway) [![argo-cd stars](https://img.shields.io/github/stars/argoproj/argo-cd?logo=github\u0026label=argoproj/argo-cd)](https://github.com/argoproj/argo-cd)\n[![click stars](https://img.shields.io/github/stars/pallets/click?logo=github\u0026label=pallets/click)](https://github.com/pallets/click)\n[![SOPS stars](https://img.shields.io/github/stars/getsops/sops?logo=github\u0026label=getsops/sops)](https://github.com/getsops/sops)\n[![jib stars](https://img.shields.io/github/stars/GoogleContainerTools/jib?logo=github\u0026label=GoogleContainerTools/jib)](https://github.com/GoogleContainerTools/jib)\n[![jinja stars](https://img.shields.io/github/stars/pallets/jinja?logo=github\u0026label=pallets/jinja)](https://github.com/pallets/jinja)\n[![docker-bench-security stars](https://img.shields.io/github/stars/docker/docker-bench-security?logo=github\u0026label=docker/docker-bench-security)](https://github.com/docker/docker-bench-security)\n[![sentencepiece stars](https://img.shields.io/github/stars/google/sentencepiece?logo=github\u0026label=google/sentencepiece)](https://github.com/google/sentencepiece)\n[![werkzeug stars](https://img.shields.io/github/stars/pallets/werkzeug?logo=github\u0026label=pallets/werkzeug)](https://github.com/pallets/werkzeug)\n[![ko stars](https://img.shields.io/github/stars/ko-build/ko?logo=github\u0026label=ko-build/ko)](https://github.com/ko-build/ko)\n[![micronaut-core stars](https://img.shields.io/github/stars/micronaut-projects/micronaut-core?logo=github\u0026label=micronaut-projects/micronaut-core)](https://github.com/micronaut-projects/micronaut-core)\n[![kubeedge stars](https://img.shields.io/github/stars/kubeedge/kubeedge?logo=github\u0026label=kubeedge/kubeedge)](https://github.com/kubeedge/kubeedge)\n[![osv-scanner stars](https://img.shields.io/github/stars/google/osv-scanner?logo=github\u0026label=google/osv-scanner)](https://github.com/google/osv-scanner)\n[![flux2 stars](https://img.shields.io/github/stars/fluxcd/flux2?logo=github\u0026label=fluxcd/flux2)](https://github.com/fluxcd/flux2)\n[![kyverno stars](https://img.shields.io/github/stars/kyverno/kyverno?logo=github\u0026label=kyverno/kyverno)](https://github.com/kyverno/kyverno)\n[![flask-sqlalchemy stars](https://img.shields.io/github/stars/pallets-eco/flask-sqlalchemy?logo=github\u0026label=pallets-eco/flask-sqlalchemy)](https://github.com/pallets-eco/flask-sqlalchemy)\n[![scorecard stars](https://img.shields.io/github/stars/ossf/scorecard?logo=github\u0026label=ossf/scorecard)](https://github.com/ossf/scorecard)\n[![urllib3 stars](https://img.shields.io/github/stars/urllib3/urllib3?logo=github\u0026label=urllib3/urllib3)](https://github.com/urllib3/urllib3)\n[![pdns stars](https://img.shields.io/github/stars/PowerDNS/pdns?logo=github\u0026label=PowerDNS/pdns)](https://github.com/PowerDNS/pdns)\n[![powertools-lambda-python stars](https://img.shields.io/github/stars/aws-powertools/powertools-lambda-python?logo=github\u0026label=aws-powertools/powertools-lambda-python)](https://github.com/aws-powertools/powertools-lambda-python)\n[![hishtory stars](https://img.shields.io/github/stars/ddworken/hishtory?logo=github\u0026label=ddworken/hishtory)](https://github.com/ddworken/hishtory)\n[![PrivateBin stars](https://img.shields.io/github/stars/PrivateBin/PrivateBin?logo=github\u0026label=PrivateBin/PrivateBin)](https://github.com/PrivateBin/PrivateBin)\n[![NoPorts stars](https://img.shields.io/github/stars/atsign-foundation/noports?logo=github\u0026label=Atsign-Foundation/NoPorts)](https://github.com/atsign-foundation/noports)\n[![openfga stars](https://img.shields.io/github/stars/openfga/openfga?logo=github\u0026label=openfga/openfga)](https://github.com/openfga/openfga)\n\n[Edit this file](https://github.com/slsa-framework/slsa-github-generator/edit/main/README.md) to add your repository!\n\n#### Builder Creation\n\nSeveral builders have been built using the [\"Build Your Own Builder\" (BYOB) framework](#build-your-own-builder):\n\n1. [nodejs builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/nodejs#readme), by [@ianlewis](https://github.com/ianlewis)\n2. [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder), by [@aalmiray](https://github.com/aalmiray)\n3. [Maven builder](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/maven/README.md), by [@AdamKorcz](https://github.com/AdamKorcz)\n4. [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle/README.md), by [@AdamKorcz](https://github.com/AdamKorcz)\n5. **Coming soon!** [Bazel builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/bazel/README.md), by [@enteraga6](https://github.com/enteraga6)\n\n## Generate provenance\n\nBelow we describe the various [builders](#builders) and [generators](#generators) in this repository. They build and / or generate non-forgeable provenance\nusing a trusted / isolated re-usable workflow. You can read up on the design in our [technical design document](#technical-design).\n\nTo select the right option to generate provenance for your use case, take into account the programming language and build toolchain you already use, e.g. `go`, `mvn`, `bazel`, etc. Select a [builder](#builders) for your ecosystem.\nFor example, if you use Go, use the [Go builder](internal/builders/go/README.md). If you use Java and build Maven packages, use the [Maven builder](internal/builders/maven/README.md), and so on.\nIf your release scripts are more complex than what the builder supports; or if there is no builder for your ecosystem, use a provenance [generator](#generators) instead.\n\n### Referencing SLSA builders and generators\n\nAt present, the GitHub Actions provided in this repository as builders and generators **MUST** be referenced\nby tag in order for the `slsa-verifier` to be able to verify the ref of the trusted builder/generator's\nreusable workflow. It also needs to be referred as `@vX.Y.Z`, because the build will fail if you reference it via a shorter tag like `@vX.Y` or `@vX`.\n\nThis is contrary to the [GitHub best practice for third-party actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) which recommends referencing by digest, but intentional due to limits in GitHub Actions.\nThe desire to be able to verify reusable workflows pinned by hash, and the reasons for the current status, are tracked as [Issue #12](https://github.com/slsa-framework/slsa-verifier/issues/12) in the slsa-verifier project.\n\nFor guidance on how to configure renovate see [RENOVATE.md](RENOVATE.md).\n\n### Builders\n\nBuilders build and generate provenance. They let you meet the\n[provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) and\n[isolation strength](https://slsa.dev/spec/v1.0/requirements#isolation-strength)\nrequirements for [SLSA Build level 3 and above](https://slsa.dev/spec/v1.0/levels).\n\nThis repository hosts the following builders:\n\n| Ecosystem | Builder | Description | Status |\n| :------------------------------------------ | :------------------------------------------------------------ | :--------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| [Go](https://go.dev/) projects | [Go Builder](internal/builders/go/README.md) | Builds and generates provenance for Go projects | [Stable since v1.0.0](https://github.com/slsa-framework/slsa-github-generator/milestone/1) |\n| [Node.js](https://nodejs.org) projects | [Node.js Builder](internal/builders/nodejs/README.md) | Builds and generates provenance for npm packages | [Beta since v1.6.0](https://github.com/slsa-framework/slsa-github-generator/milestone/8). [GA Milestone](https://github.com/slsa-framework/slsa-github-generator/milestone/17) |\n| [Maven](https://maven.apache.org/) projects | [Maven builder](internal/builders/maven/README.md) | Build Maven packages and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.9.0](https://github.com/slsa-framework/slsa-github-generator/milestone/14) |\n| [Gradle](https://gradle.org/) projects | [Gradle builder](internal/builders/gradle/README.md) | Build Gradle projects and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.9.0](https://github.com/slsa-framework/slsa-github-generator/milestone/15) |\n| [Bazel](https://bazel.build/) projects | [Bazel builder](internal/builders/bazel/README.md) | Builds [Bazel](https://bazel.build/) projects and generates provenance | [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |\n| [docker](https://www.docker.com/) images | Container Builder | Builds docker containers and generates provenance. The generated provenance is compatible with [cosign](https://github.com/sigstore/cosign)'s attestation format | [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/5) |\n| Any | [Container-based Builder](internal/builders/docker/README.md) | Builds projects whose build pipeline is defined with a Dockerfile | [Beta since v1.7.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |\n\nThere are other available builders using this repository's [BYOB framework](#build-your-own-builder) and not hosted in this repository:\n\n| Ecosystem | Builder | Description | Status |\n| :------------------------------------------- | :-------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | :-------------------------------------------------------------------------------- |\n| [JReleaser](https://jreleaser.org/) projects | [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder) | Builds and generates provenance using [JReleaser](https://jreleaser.org/) | [since v1.0.0-java](https://github.com/jreleaser/release-action/tree/v1.0.0-java) |\n\nIf none of these options fit your needs, use a [generator](#generators) as described below:\n\n### Generators\n\nGenerators only generate provenance for you. They let you meet the\n[provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) and\n[isolation strength](https://slsa.dev/spec/v1.0/requirements#isolation-strength)\nrequirements for [SLSA Build level 3 and above](https://slsa.dev/spec/v1.0/levels).\n\nGenerators create an attestation to a software artifact coming from your repository.\n\nThis repository hosts the following generators:\n\n| Artifact type | Generator | Description | Status |\n| :---------------------------------- | :----------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------- |\n| file (binary, package tarball etc.) | [Generic generator](internal/builders/generic/README.md) | Generates provenance for arbitrary file-based artifacts, for any ecosystem and programming language | [Stable since v1.2.0](https://github.com/slsa-framework/slsa-github-generator/milestone/2) |\n| container | [Container generator](internal/builders/container/README.md) | Generate provenance for container images. The generated provenance is compatible with [cosign](https://github.com/sigstore/cosign)'s attestation format. | [Stable since v1.4.0](https://github.com/slsa-framework/slsa-github-generator/milestone/3) |\n\n## Verify provenance\n\nTo verify provenance created by any of the builders in this repository, use the [github.com/slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project.\n\n### Installation\n\nTo install the verifier, see [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).\n\n### Inputs\n\nThe inputs of the verifier are described in [slsa-framework/slsa-verifier#available-options](https://github.com/slsa-framework/slsa-verifier#available-options).\n\n### Command line examples\n\nA command line example is provided in [slsa-framework/slsa-verifier#example](https://github.com/slsa-framework/slsa-verifier#example).\n\n## Known Issues\n\n### error updating to TUF remote mirror: invalid\n\nThis will occur when generating provenance with all builders and generators.\n\n**Affected versions:** all versions up and including v1.9.0\n\n```shell\nerror updating to TUF remote mirror: invalid\n```\n\nThis issue is tracked by [issue #3350](https://github.com/slsa-framework/slsa-github-generator/issues/3350). You _must_ update to v1.10.0 to fix this issue.\n\n## Build Your Own Builder\n\nUse the [BYOB framework](BYOB.md) to create your own SLSA builder on GitHub. If you have an existing GitHub Action, you can use the BYOB framework to wrap it into a SLSA builder.\nThis will harden the build process by running the Action in an isolated environment. Generated artifacts will meet Build Level 3 expectations and produce Build Level 3 provenance.\nTo verify the provenance, your users can use the [slsa-verifier](#verification-of-provenance).\n\n## Project Roadmap\n\nThe project roadmap is tracked via milestones. You can track progress and open\nissues via the [milestones page](https://github.com/slsa-framework/slsa-github-generator/milestones?direction=asc\u0026sort=due_date\u0026state=open).\nEach milestone includes a description of what is being worked on and a rough\ntimeline for completion.\n\n## Technical design\n\nThe initial technical design was described in the blog post\n\"[Improving software supply chain security with tamper-proof builds](https://security.googleblog.com/2022/04/improving-software-supply-chain.html)\".\n\n### Specifications\n\nFor a more in-depth technical dive, read the [SPECIFICATIONS.md](./SPECIFICATIONS.md).\n\n### Provenance format\n\nThe format of the provenance is available in [PROVENANCE_FORMAT.md](./PROVENANCE_FORMAT.md).\n\n## Contributing\n\nPlease see the [Contributor Guide](CONTRIBUTING.md) for more info.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslsa-framework%2Fslsa-github-generator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fslsa-framework%2Fslsa-github-generator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslsa-framework%2Fslsa-github-generator/lists"}