A proof-of-concept SLSA provenance generator for Buildkite.
It is based on SLSA GitHub Actions Demo, and the following is the SLSA description from this repository:
SLSA is a framework intended to codify and promote secure software supply-chain practices. SLSA helps trace software artifacts (e.g. binaries) back to the build and source control systems that produced them using in-toto's Attestation metadata format.
This proof-of-concept GitHub Action demonstrates an initial SLSA integration conformant with SLSA Level 1. This provenance can be uploaded to the native artifact store or to any other artifact repository.
While there are no integrity guarantees on the produced provenance at L1, publishing artifact provenance in a common format opens up opportunities for automated analysis and auditing. Additionally, moving build definitions into source control and onto well-supported, secure build systems represents a marked improvement from the ecosystem's current state.
Generate provenance for single build artifact:
steps:
- label: "๐จ Create artifact and generate provenance"
command:
- "mkdir build"
- "echo 'build artifact' > build/artifact.txt"
artifact_paths:
- "build/*"
plugins:
- hi-artem/provenance-generator#v1.1.11:
output-path: "provenance.json"Generate provenance for multiple build artifacts:
steps:
- label: "๐จ Create artifacts and generate provenance"
command:
- "mkdir build"
- "echo 'build artifact 1' > build/artifact1.txt"
- "echo 'build artifact 2' > build/artifact2.txt"
- "echo 'build artifact 2' > build/artifact3.txt"
artifact_paths:
- "build/*"
plugins:
- hi-artem/provenance-generator#v1.1.11:
output-path: "provenance.json"This is demo repo and is not intended to be used in production contexts. As such, we cannot make any commitments of future support.
- Fork the repo
- Make the changes
- Run the tests
- Commit and push your changes
- Send a pull request
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent