https://github.com/jenkinsci/slsa-plugin

A Jenkins plugin to create SLSA provenance attestations
https://github.com/jenkinsci/slsa-plugin

slsa slsa-generic-generator slsa-provenance

Last synced: about 2 months ago
JSON representation

A Jenkins plugin to create SLSA provenance attestations

• Host: GitHub
• URL: https://github.com/jenkinsci/slsa-plugin
• Owner: jenkinsci
• License: mit
• Created: 2023-04-25T09:42:09.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2025-05-14T08:11:00.000Z (5 months ago)
• Last Synced: 2025-05-14T08:46:53.257Z (5 months ago)
• Topics: slsa, slsa-generic-generator, slsa-provenance
• Language: Java
• Homepage: https://plugins.jenkins.io/slsa
• Size: 93.8 KB
• Stars: 7
• Watchers: 3
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

README

          
[![Jenkins Plugin](https://img.shields.io/jenkins/plugin/v/slsa.svg)](https://plugins.jenkins.io/slsa)

[![GitHub release](https://img.shields.io/github/release/jenkinsci/slsa-plugin.svg?label=release)](https://github.com/jenkinsci/slsa-plugin/releases/latest)

[![Jenkins Plugin Installs](https://img.shields.io/jenkins/plugin/i/slsa.svg?color=blue)](https://plugins.jenkins.io/slsa)

[![Build Status](https://ci.jenkins.io/buildStatus/icon?job=Plugins%2Fslsa-plugin%2Fmain)](https://ci.jenkins.io/job/Plugins/job/slsa-plugin/job/main/)

[![GitHub license](https://img.shields.io/github/license/jenkinsci/slsa-plugin.svg)](https://github.com/jenkinsci/slsa-plugin/blob/master/LICENSE)

# SLSA Jenkins Plugin

The SLSA Jenkins plugin generates [SLSA provenance attestations](https://slsa.dev/provenance/) for build artifacts.

## Job configuration - Freestyle project

The plugin provides a ```Post-build action``` which will generate provenance attestations

(`.intoto.jsonl` or `multiple.intoto.jsonl`) in SLSA format for artifacts that

match a given filter after a successful build.

![job configuration](docs/images/jenkins-job-configuration.png)

**Artifact Filter**: Specifies the artifacts to include.

**Target Directory**: Specifies the directory where generated provenance attestations should be created.

## Job configuration - Pipeline project

In order to use the plugin with the descriptive pipeline syntax, the following snippet

can be added:

```

...

post {

    success {

        provenanceRecorder artifactFilter: 'build/libs/**.jar', targetDirectory: 'build/slsa'

    }

}

...

```

**Artifact Filter**: Specifies the artifacts to include.

**Target Directory**: Specifies the directory where generated provenance attestations should be created.

## Current limitations

* currently only GIT SCM provider is supported

* executed build steps are not yet recorded

* signing of attestations is not yet supported

## LICENSE

Licensed under MIT, see [LICENSE](LICENSE).