Verify that provenance is authenticated

Type: Rule
ID: SLSA.L2
Source: v2/rules/slsa/l2-provenance-authenticated.yaml
Rego Source: l2-provenance-authenticated.rego
Help: https://slsa.dev/spec/v1.0/requirements
Labels: SLSA

Verify the artifact is signed.

note

This rule requires Signed SLSA Provenance. See here for more details.

tip

Evidence IS required for this rule and will fail if missing.

tip

Signed Evidence for this rule IS required by default.

warning

Rule requires evaluation with a target or an asset input. Without one, it will be disabled unless the --all-evidence flag is provided.

info

Rule is scoped by product and target.

Usage example

uses: slsa/l2-provenance-authenticated@v2

Mitigation

Cryptographic authentication prevents tampering with provenance data, ensuring that only valid and secure build information is used to establish the integrity of the software supply chain.

Evidence Requirements

Field	Value
filter-by	['product', 'target']
signed	True
content_body_type	slsa

Rule Parameters (`with`)

Parameter	Default
identity	`{'common-names': [], 'emails': []}`

Usage example​

Mitigation​

Evidence Requirements​

Rule Parameters (with)​

Usage example

Mitigation

Evidence Requirements

Rule Parameters (`with`)