https://github.com/slsa-framework/source-tool

A proof-of-concept for how the SLSA Source Track could be implemented.
https://github.com/slsa-framework/source-tool

Last synced: 11 months ago
JSON representation

A proof-of-concept for how the SLSA Source Track could be implemented.

• Host: GitHub
• URL: https://github.com/slsa-framework/source-tool
• Owner: slsa-framework
• License: apache-2.0
• Created: 2025-01-06T18:10:05.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2025-08-05T22:11:55.000Z (11 months ago)
• Last Synced: 2025-08-06T00:10:32.503Z (11 months ago)
• Language: Go
• Size: 1.71 MB
• Stars: 8
• Watchers: 4
• Forks: 10
• Open Issues: 25
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# slsa-source-poc

A proof-of-concept for how the SLSA Source Track could be implemented.

The code in this repository should not be relied upon for production purposes.

Status: in development

## Design

[REQUIREMENTS_MAPPING.md](docs/REQUIREMENTS_MAPPING.md) defines the rationale for how

this tool meets the SLSA Source Requirements.

[DESIGN.md](docs/DESIGN.md) explains more specifically how the system works.

## Components

[compute_slsa_source.yml](.github/workflows/compute_slsa_source.yml) is a reusable workflow that

is calculates a SLSA source level and produces 'source provenance' and a 'verification summary'

for the revision (commit) that was just pushed.

[local_attest.yml](.github/workflows/local_attest.yml) is a local workflow that invokes compute_slsa_source.yml.

[slsa_with_provenance](actions/slsa_with_provenance/action.yml) is a GitHub Action that does most

of the work.

[get_note](actions/get_note/action.yml) is a GitHub Action that gets a git note from a commit.

[store_note](actions/store_note/action.yml) is a GitHub Action that stores a git note for

a commit.