SLSA Verifier Build Provenance Checker
SLSA Verifier is the official tool from the SLSA framework for verifying build provenance attestations generated by SLSA-compliant builders. It checks that software artifacts were built from the expected source, by an authorized builder, without tampering in the build pipeline.
What it does
SLSA Verifier Build Provenance Checker
SLSA Verifier is the official tool from the SLSA framework for verifying build provenance attestations generated by SLSA-compliant builders. It checks that software artifacts were built from the expected source, by an authorized builder, without tampering in the build pipeline.
Installation
Use the upstream install or setup path that matches your environment:
- $ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.7.1
- $ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier
- $ git clone git@github.com:slsa-framework/slsa-verifier.git
Requirements and caveats from upstream:
- npm packages built using the SLSA3 Node.js builder
- | source-branch | Expects a branch like main or dev. Not supported for all GitHub Workflow triggers. | GitHub builders |
-
npm packages built using the SLSA3 Node.js builder
Basic usage or getting-started notes:
-
You have two options to install the verifier.
-
Compilation from source
-
Option 1: Install via go
-
Extracted from upstream docs: https://raw.githubusercontent.com/slsa-framework/slsa-verifier/HEAD/README.md
Source
Capabilities
Install
Quality
deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (1,476 chars)