Verify Provenance Document Exists
Type: Rule
ID: SLSA.L1
Source: v2/rules/slsa/l1-provenance-exists.yaml
Rego Source: l1-provenance-exists.rego
Help: https://slsa.dev/spec/v1.0/requirements
Labels: SLSA
Verify that the Provenance document evidence exists.
This rule requires SLSA Provenance. See here for more details.
Evidence IS required for this rule and will fail if missing.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Rule is scoped by product and target.
Usage example
uses: slsa/l1-provenance-exists@v2
Mitigation
Recording comprehensive provenance metadata allows organizations to verify the integrity of the build process and ensures that only authorized and untampered artifacts are deployed.
Evidence Requirements
| Field | Value |
|---|---|
| filter-by | ['product', 'target'] |
| signed | False |
| content_body_type | slsa |