Skip to main content

Getting started with SLSA Level 1

Checklist for attaining SLSA v1.0 Level 1:

  • Build your software using a CI system. Preferably, with a build script that is source-controlled.
  • Call the Scribe Valint slsa command from your build script to generate a provenance document.
  • Distribute the Provenance Document using Scribe Hub.

Before you begin​ install the Scribe Plugin for your CI build system.

The general Valint call structure is:

  # Create an unsigned SLSA Provenance Document
  valint slsa [target] -o statement \
   -P [SCRIBE_TOKEN]

Where [Target] is the build artifact and SCRIBE_TOKEN is the token for accessing Scribe, when specified the document shall be stored at Scribe.

You can store the Provenance Document in alternative evidence stores. Use command flags to customize the content of the provenance document.

Verify downstream that the attestation exists in the evidence store by calling:

  valint verify [target] -i statement-slsa \
   -P [SCRIBE_TOKEN]

Examples

GitHub 
- name: Generate SLSA provenance statement
 id: valint_slsa_statement
 uses: scribe-security/action-bom@master
 with:
   target: 'busybox:latest'
   format: statement-slsa

- uses: actions/upload-artifact@v4
 with:
   name: provenance
   path: ${{ steps.valint_slsa_statement.outputs.OUTPUT_PATH }}
GitLab CI/CD 
scribe-gitlab-job:
    stage: scribe-gitlab-stage
    script:
      - valint bom [target]
          -o attest-slsa
          --context-type gitlab
          --output-directory ./scribe/valint
          -P $SCRIBE_TOKEN
Azure DevOps 
- task: ValintCli@0
    inputs:
      commandName: bom
      target: [target]
      format: attest-slsa
      outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint
      scribeEnable: true
      scribeClientId: $(SCRIBE-CLIENT-ID)
      scribeClientSecret: $(SCRIBE-CLIENT-SECRET)
Travis CI 
script:
  - |
    valint [bom,slsa,evidence] [target] \
        --format [attest, statement] \
        --context-type travis \
        --output-directory ./scribe/valint \
        -P $SCRIBE_TOKEN \
Bitbucket 
name: scribe-bitbucket-pipeline
        script:      
          - pipe: scribe-security/valint-pipe:0.1.6
            variables:
              COMMAND_NAME: bom
              TARGET:  [target]
              FORMAT: attest-slsa
              SCRIBE_ENABLE: true
              SCRIBE_CLIENT_SECRET: $SCRIBE_TOKEN