SLSA L1 & L2 Provenance from Logs
Scribe simplifies the generation of SLSA Level 1 & Level 2 provenance for container images at scale, without requiring any changes to your existing pipelines. Instead of embedding provenance generators in each CI job, Scribe combines Scribe Platformsβ posture attestations with build-log analysis from GitHub Actions and other supported systems to produce complete provenance statements automatically.
π Overviewβ
At the heart of this feature is the automated creation of rich, SLSA-compliant provenance documents. These provenance statements are structured, verifiable attestations that include detailed information extracted from:
- The source code repository and its history (via GitHub SCM APIs)
- The container image build targets (e.g., image digests, tags, IDs)
- CI systems and log (timestamps, runners, inputs)
- Associated SBOMs β linking both the source and built image artifacts as evidence
β When to Useβ
- You cannot modify the CI pipelines due to authority or scale
- You want SLSA provenance but cannot modify the CI pipelines
- You want to verify builds retroactively (e.g., last 30 days)
- You operate across 10s or 100s of repositories
- You want SLSA Level 1 (unsigned) or Level 2 (signed) as structured, independently validated evidence
π SLSA Levels Explained with Scribeβ
Scribeβs platforms discover
command automatically creates SLSA provenance for each image build it detects. The SLSA level producedβLevel 1 or Level 2βdepends solely on whether the provenance is cryptographically signed.
-
SLSA Level 1 (Unsigned Provenance): This level of provenance is generated by default when you use
platforms discover
. It captures essential information about the build process, as extracted from logs, but the provenance statement itself is not cryptographically signed. This provides a valuable, machine-readable record of the build, offering transparency and traceability. -
SLSA Level 2 (Signed Provenance): To achieve SLSA Level 2, the provenance generated by
platforms discover
must be cryptographically signed by a trusted entity. Scribe facilitates this through the--valint.sign
flag, which integrates with a signing capability (like Scribe Hub's attestation signing capability). Signing the provenance provides strong assurance that the provenance has not been tampered with and that it originates from a verified source.
π οΈ What Scribe Platforms Does Under the Hoodβ
Behind the scenes, Scribe Platforms performs several steps to turn raw workflow logs into SLSA-compliant provenance:
- Analyze GitHub Actions logs across multiple repositories
Detects every image build (Docker, Buildah, Podman) without altering your pipelines. - Extract critical build metadata automatically
Pulls builder, tag, digest, and timestamp information straight from the logs. - Generate and Link SBOM evidence
Generate Associates both source-code and image SBOMs with the build for end-to-end traceability. - Generate in-toto SLSA statements (L1 or L2)
Produces valid provenance, optionally signing it when--valint.sign
is enabled. - Run SLSA-compliance initiatives
Once each provenance file is written, Scribe automatically executes the matching policy-as-code initiative (slsa.l1
for unsigned L1,slsa.l2
for signed L2).
The initiative verifies the evidence set, emits a SARIF report, andβwhen applicableβsigns that report before attaching it as additional evidence. - Execute SLSA Compliance Initiatives
After provenance generation, Scribe automatically applies relevant policy-as-code initiatives (
slsa.l1
orslsa.l2
). These initiatives validate the evidence, generate a SARIF report detailing compliance status, and (for Level 2) sign this report as additional, verifiable evidence.
π§ͺ Example Usage L1 (Unsigned Provenance)β
The following command will generate SLSA Level 1 provenance. The provenance document will contain rich build metadata but will not be cryptographically signed.
platforms discover github \
--scope.organization scribe-security \
--scope.repository "valint" \
--repository.mapping *::valint_slsa::v1 \
--commit.skip \
--slsa-enable \
--slsa.tags-only
This command will:
- Scan recent GitHub workflows for the
scribe-security
organization. - Match release workflows from
valint
repositories. - Extract image build metadata from logs.
- Generate SLSA Level 1 provenance (unsigned).
- Include links to source and image SBOMs.
- Export the evidence under product key
valint_slsa
with versionv1
.
π§ͺ Example Usage L2 (Signed Provenance)β
To generate SLSA Level 2 provenance, you need to sign the provenance statement. This is done by adding the --valint.sign
flag. This typically requires integration with a signing service (e.g., Scribe Hub's attestation signing).
platforms discover --valint.sign github \
--scope.organization scribe-security \
--scope.repository "valint" \
--repository.mapping *::valint_slsa::v1 \
--commit.skip \
--slsa-enable \
--slsa.tags-only
This command will:
- Perform all actions of the L1 example.
- Additionally, it will cryptographically sign the generated SLSA provenance statements, elevating them to SLSA Level 2.
π Example GitHub Actions Workflowβ
βΉοΈ Tip: It's recommended to schedule this workflow (instead of running manually) to ensure timely collection of logs before GitHub Actions deletes them (typically after 90 days).
You can also run the discover
command from within GitHub Actions using the Scribe Security GitHub Action:
Click to view GitHub Actions workflow example
name: Discover SLSA Provenance from GitHub
on:
schedule:
- cron: '0 4 * * *' # Runs daily at 04:00 UTC
workflow_dispatch:
permissions:
id-token: write # Allows Sigstore signing via GitHub OIDC identity
contents: read
jobs:
discover-slsa:
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
SCRIBE_TOKEN: ${{ secrets.GH_CI_DEV_SCRIBE_SECRET }}
steps:
- name: Discover GitHub Provenance
uses: scribe-security/action-platforms@dev
with:
command: discover
platform: github
sign: true # required for SLSA Level 2
slsa: true
args: >-
--slsa-enable
--slsa.tags-only
--scope.organization=scribe-security
--scope.repository=valint
--organization.mapping=scribe-security::valint_slsa::v1
--repository.mapping=scribe-security*valint::valint_slsa::v1
π Key Flagsβ
Flag | Description |
---|---|
--slsa-enable | Enable SLSA provenance extraction and export |
--valint.sign | (For SLSA L2) Enables cryptographic signing of the generated SLSA provenance. This typically requires configuration for a signing backend (e.g., X509 Keys, Sigstore - GitHub's OIDC, or an external KMS). |
--slsa.tags-only | Limit to tag-based builds only |
--slsa.all-versions | Include SLSA Provenance evidence for all published images (all versions) rather than just the latest for each tag. By default, only the latest image provenance is included. |
--slsa.scope.branch | Restrict provenance to specific branches |
--slsa.scope.tag | Restrict provenance to matching tags |
--slsa.scope.workflow | Restrict provenance to named workflows/jobs |
--slsa.scope.image | Restrict provenance to particular image names/repositories |
--repository.mapping | Assign product key for evidence export |
--skip-cache | Force recomputation even if cached results exist |
π Proving SLSA Compliance with Policy-as-Code Initiativesβ
After Scribe generates SLSA provenance for your container images, it automatically takes a critical extra step: it runs policy-as-code initiatives against the provenance and its associated evidence. This provides a robust, verifiable way to demonstrate SLSA compliance.
What are Scribe Initiatives?β
Scribe Initiatives are predefined or custom sets of policy rules that evaluate your software supply chain's compliance. For SLSA, Scribe offers specific initiatives to verify various aspects of your provenance and its linked SBOMs (Software Bill of Materials) for both source and image.
These initiatives check for things like:
- The existence and integrity of the provenance document and its linked SBOMs.
- That critical fields in the provenance (e.g., builder identity, source repository) match expected values.
- For SLSA Level 2, that both the provenance and the resulting SARIF (Static Analysis Results Interchange Format) compliance report are cryptographically signed, ensuring their authenticity.
The outcome of these evaluations is a SARIF report. This report details your compliance status, highlights any policy deviations, and links back to all relevant evidence. For SLSA Level 2, this SARIF report is also signed, adding another layer of verifiable assurance.
This automated verification and reporting gives you:
- Robust Compliance Proof: Independently validated evidence of your SLSA adherence.
- End-to-End Traceability: Links all artifacts and reports directly to the build process.
- Streamlined Auditing: A standardized, machine-readable format for compliance reporting.
Further Reading and Resourcesβ
For more details on Scribe's policy-as-code initiatives and their role in SLSA compliance, explore these resources:
- Applying Initiatives to your SDLC: https://scribe-security.netlify.app/docs/guides/enforcing-sdlc-initiative
- SLSA L1 Initiative Documentation & Source: https://scribe-security.netlify.app/docs/configuration/initiatives/slsa.l1/ and https://github.com/scribe-public/sample-policies/blob/main/v2/initiatives/slsa.l1.yaml
- SLSA L2 Initiative Documentation & Source: https://scribe-security.netlify.app/docs/configuration/initiatives/slsa.l2/ and https://github.com/scribe-public/sample-policies/blob/main/v2/initiatives/slsa.l2.yaml
π§ What's Collected in the Provenance Attestationβ
-
subject
: Captures the single output artifact of the buildβits full image reference plus a SHA-256 digest (the cryptographic hash that uniquely fingerprints the image).
This hash ties the provenance unambiguously to that exact image, even if the tag is later reused.Note: If a workflow emits multiple images, Scribe generates one provenance statement per image.
-
predicate.buildDefinition
: Describes how the artifact was built. This includes:- Build System Details: Information about the CI/CD platform used (e.g., GitHub Actions workflow file, specific job, and run ID).
- Source Code: The exact Git repository URL, commit SHA, and branch/tag that was built. ** Build Parameters β External inputs such ad Docker build arguments and the names of all repository-level secrets that were available to the job (values are never stored).
- Resolved Dependencies: A comprehensive list of all inputs consumed by the build, including base images (Image SBOM source), third-party actions (Log Source), and tools.
-
predicate.runDetails
: Details what happened during the build execution. This covers:- Builder Identity: A precise reference to the specific workflow definition or builder tool that orchestrated the build.
- Execution Metadata: Timestamps for the start and end of the build, along with a unique invocation ID.
- Byproducts: Additional artifacts produced during the build that contribute to the overall evidence. This includes references to build logs, intermediate container layers, and the generated Image SBOMs, linking them to their corresponding digests and relevant build context.
For a full example, see Appendix A - Provenance Example.
π Compatibilityβ
Log Sources
- GitHub Actions
Build Tools
- Docker
- Podman
- Buildah
π Related Pagesβ
Appendix A - Provenance Exampleβ
SLSA Provenance example
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1"
}
},
{
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
}
},
{
"name": "scribe://target/",
"digest": {
"sha256": "7f7cb3f64eedcf3c4f90545dd611bf739b7e990584995143bc61f97aeaa7dc71"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://docs.scribesecurity.com/buildtypes/github-workflow/v1",
"externalParameters": {
"context": {
"ADDED_BY": "platforms",
"event": "push",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"repository": "https://github.com/scribe-security/gatekeeper-valint",
"run_name": "release",
"source_git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git"
},
"head_commit": {
"author": {
"email": "mdstrauss91@gmail.com",
"name": "houdini91"
},
"committer": {
"email": "mdstrauss91@gmail.com",
"name": "houdini91"
},
"id": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"message": "upstream",
"timestamp": "2025-06-05T10:57:04Z",
"tree_id": "60391731fb5752c01eaeb94a0f6252789bb08759"
},
"pipeline": {
"actor": "houdini91",
"build_num": "49",
"job": "call-release ",
"run_id": "15465260889",
"type": "github",
"workflow": "release"
},
"source": {
"digest": {
"sha1": "8845c03b89e38df1d1f3d18268f6253ac5fd190e"
},
"uri": "git:https://github.com/scribe-security/gatekeeper-valint.git@refs/tags/v2.0.4"
}
},
"internalParameters": {
"build": {
"build_args": [
"BUILD_DATE=2025-06-05T10:59:13Z",
"BUILD_VERSION=2.0.4",
"VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"VCS_URL=https://github.com/scribe-security/gatekeeper-valint",
"BUILD_VERSION=2.0.4",
"DESCRIPTION=\"Valint",
"PROJECT_NAME=gatekeeper-valint]"
],
"build_log": "β’ running cmd=[docker buildx] cwd=/tmp/goreleaserdocker213353077 args=[--builder default build . --load -t scribesecurity/gatekeeper-valint:v2.0.4 -t scribesecurity/gatekeeper-valint:latest --build-arg=BUILD_DATE=2025-06-05T10:59:13Z --build-arg=BUILD_VERSION=2.0.4 --build-arg=VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e --build-arg=VCS_URL=https://github.com/scribe-security/gatekeeper-valint --build-arg=BUILD_VERSION=2.0.4 --build-arg=DESCRIPTION=\"Valint gatekeeper external data provider\" --build-arg=PROJECT_NAME=gatekeeper-valint]",
"secret_list": [
"SCRIBE_DEV_M2M_CLIENT_ID",
"SCRIBE_DEV_M2M_CLIENT_SECRET",
"SCRIBE_STAGING_M2M_CLIENT_ID",
"SCRIBE_STAGING_M2M_CLIENT_SECRET"
]
},
"context": {
"actor": "houdini91",
"asset_id": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"asset_name": "scribesecurity/gatekeeper-valint:v2.0.4",
"asset_type": "image",
"build_num": "49",
"content_body_type": "slsa",
"content_type": "statement-slsa",
"context_type": "local",
"created": "2025-06-05T11:01:59.058746094Z",
"extra_labels": [
"component-group=base_image",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "slsa",
"format_version": "v1",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"imageID": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"image_name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"input_name": "scribesecurity/gatekeeper-valint",
"input_scheme": "docker",
"input_tag": "v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=base_image",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"platform": "linux/amd64",
"predicate_type": "https://slsa.dev/provenance/v1",
"product_version": "v1",
"repoDigest": [
"scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1"
],
"run_id": "15465260889",
"sbomcomponents": [
"base_image",
"metadata"
],
"sbomgroup": "container",
"sbomhashs": [
"sha256-f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sha256-96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
],
"sbomname": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sbompurl": "pkg:docker/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d?arch=amd64",
"sbomtype": "container",
"sbomversion": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"size": 124078632,
"target_type": "container",
"timestamp": "2025-06-12T11:48:47+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
}
},
"resolvedDependencies": [
{
"uri": "git:https://github.com/scribe-security/gatekeeper-valint.git@refs/tags/v2.0.4",
"digest": {
"sha1": "8845c03b89e38df1d1f3d18268f6253ac5fd190e"
},
"name": "refs/tags/v2.0.4",
"annotations": {
"branch": "v2.0.4",
"tag": ""
}
},
{
"uri": "scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"annotations": {
"ADDED_BY": "valint",
"SBOM_METADATA": {
"OS": "linux",
"actor": "houdini91",
"architecture": "amd64",
"build_num": "49",
"context_type": "local",
"created": "2025-06-05T11:01:59.058746094Z",
"entrypoint": "/home/scribe/docker/entrypoint.sh, /home/scribe/${PROJECT_NAME}",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"imageEnvironment_0": "PATH=/home/scribe/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"imageEnvironment_1": "PROJECT_NAME=gatekeeper-valint",
"imageID": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"imageUser": "65532:65532",
"input_name": "scribesecurity/gatekeeper-valint",
"input_scheme": "docker",
"input_tag": "v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"job_name": "call-release ",
"label_io.artifacthub.package.license": "Apache-2.0",
"label_io.artifacthub.package.name": "gatekeeper-valint",
"label_io.artifacthub.package.readme-url": "https://raw.githubusercontent.com/scribe-security/gatekeeper-valint/README.md",
"label_io.artifacthub.package.vendor": "Scribe security, Inc.",
"label_org.opencontainers.image.created": "2025-06-05T10:59:13Z",
"label_org.opencontainers.image.description": "\"Valint gatekeeper external data provider\"",
"label_org.opencontainers.image.revision": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"label_org.opencontainers.image.source": "https://github.com/scribe-security/gatekeeper-valint",
"label_org.opencontainers.image.title": "gatekeeper-valint",
"label_org.opencontainers.image.vendor": "Scribe security, Inc.",
"label_org.opencontainers.image.version": "2.0.4",
"labels_0": "platform=github",
"labels_1": "asset_type=slsa_target",
"labels_2": "parent-asset-id=scribe-security/gatekeeper-valint",
"labels_3": "parent-asset-type=repository",
"labels_4": "parent-asset-name=gatekeeper-valint",
"labels_5": "cache_key=15465260889",
"manifest-digest": "sha256:94023f7bbe13163404aada47909e965ee98addd9b65edc805d293235be582596",
"media-type": "application/vnd.docker.distribution.manifest.v2+json",
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"product_version": "v1",
"registry_location": "index.docker.io",
"registry_scheme": "https",
"repoDigest_0": "scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"run_id": "15465260889",
"size": "124078632",
"target_type": "container",
"timestamp": "2025-06-12T11:48:47+03:00",
"user": "mikey",
"workflow": "release"
}
}
},
{
"uri": "https://github.com/actions/checkout",
"digest": {
"sha1": "942562b9c7d4b1f2557f1da21f4d3eb4eb4fd01f2ad78b2a6e187d1b193e0a0f"
},
"name": "actions/checkout@v3",
"annotations": {
"action_ref": "v3",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"clean": "true",
"fetch-depth": "0",
"fetch-tags": "false",
"lfs": "false",
"persist-credentials": "true",
"repository": "scribe-security/gatekeeper-valint",
"set-safe-directory": "true",
"sparse-checkout-cone-mode": "true",
"ssh-strict": "true",
"submodules": "false",
"token": "***"
},
"version": "3.6.0"
}
},
{
"uri": "https://github.com/actions/setup-go",
"digest": {
"sha1": "1b5ba729a06c8434c34b6776887b6934e562a955369e9f11807883dd5e99cd81"
},
"name": "actions/setup-go@v3",
"annotations": {
"action_ref": "v3",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"cache": "false",
"check-latest": "false",
"go-version": "1.21",
"token": "***"
},
"version": "3.6.1"
}
},
{
"uri": "https://github.com/actions/cache",
"digest": {
"sha1": "912f76fb11db1ca09ae23248a39eb86e79ea0f0f6e183d9cb96d0b778eeea4e2"
},
"name": "actions/cache@v3",
"annotations": {
"action_ref": "v3",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"enableCrossOsArchive": "false",
"fail-on-cache-miss": "false",
"key": "Linux-go-1.21-14fb4d3c9f15f444578334a60ca0e69141dd77054775852da7ca35a3e2e5f96e",
"lookup-only": "false",
"path": "~/go/pkg/mod",
"restore-keys": "Linux-go-1.21-"
},
"version": "3.4.3"
}
},
{
"uri": "https://github.com/docker/login-action",
"digest": {
"sha1": "074da69a9e77797ae469f40db0f64632c02629b61bfa229f2fa803f41a464283"
},
"name": "docker/login-action@v2",
"annotations": {
"action_ref": "v2",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"ecr": "auto",
"logout": "true",
"password": "***",
"username": "scribesecurity"
},
"version": "2.2.0"
}
},
{
"uri": "https://github.com/actions/upload-artifact",
"digest": {
"sha1": "290722aa3281d5caf23d0acdc3dbeb3424786a1a01a9cc97e72f147225e37c38"
},
"name": "actions/upload-artifact@v4",
"annotations": {
"action_ref": "v4",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"compression-level": "6",
"if-no-files-found": "warn",
"include-hidden-files": "false",
"name": "artifacts",
"overwrite": "false",
"path": "dist/**/*"
},
"version": "4.6.2"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://github.com/scribe-security/gatekeeper-valint/blob/8845c03b89e38df1d1f3d18268f6253ac5fd190e/.github/workflows/release.yml",
"builderDependencies": [
{
"uri": "https://scribesecuriy.jfrog.io/scribe-docker-public-local/valint:2.0.0-3-SNAPSHOT-a1e7b37",
"name": "valint",
"annotations": {
"ADDED_BY": "valint",
"vendor": "Scribe security, Inc",
"version": "2.0.0-3-SNAPSHOT-a1e7b37"
}
}
]
},
"metadata": {
"invocationID": "15465260889",
"startedOn": "2025-06-05T10:57:25Z",
"finishedOn": "2025-06-05T10:57:25Z"
},
"byproducts": [
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A7483facda2dd4ca8c8ec97443ccac2dbb8202c11a80bd2032c532f3e42b2a22e?index=0",
"digest": {
"sha256": "7483facda2dd4ca8c8ec97443ccac2dbb8202c11a80bd2032c532f3e42b2a22e"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "COPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt # buildkit",
"index": "0",
"size": "221335"
}
},
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A73d4c6ce708fe21d12ec8dc1bb9d293564b5af387e52b540b1290bdaaf648097?index=1",
"digest": {
"sha256": "73d4c6ce708fe21d12ec8dc1bb9d293564b5af387e52b540b1290bdaaf648097"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "COPY / / # buildkit",
"index": "1",
"size": "28812158"
}
},
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A6a796d2334354cef859a961595c4b6688c57d28426ea7e81c46794f98ddf22f8?index=2",
"digest": {
"sha256": "6a796d2334354cef859a961595c4b6688c57d28426ea7e81c46794f98ddf22f8"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "RUN |6 DESCRIPTION=\"Valint gatekeeper external data provider\" BUILD_DATE=2025-06-05T10:59:13Z BUILD_VERSION=2.0.4 VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e VCS_URL=https://github.com/scribe-security/gatekeeper-valint PROJECT_NAME=gatekeeper-valint /bin/sh -c /bin/mkdir -p /etc/scribe/keys /home/scribe/ # buildkit",
"index": "2",
"size": "0"
}
},
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3Af48ae6c678043a30b5faff13298cf1e6db0c82d5ae7e1ef89b0c4225f97960f4?index=3",
"digest": {
"sha256": "f48ae6c678043a30b5faff13298cf1e6db0c82d5ae7e1ef89b0c4225f97960f4"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "COPY . /home/scribe/ # buildkit",
"index": "3",
"size": "95045139"
}
},
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef?index=4",
"digest": {
"sha256": "5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "WORKDIR /home/scribe/",
"index": "4",
"size": "0"
}
},
{
"uri": "pkg:OS/wolfi@20230201",
"name": "wolfi",
"annotations": {
"ADDED_BY": "valint",
"BugReportURL": "https://github.com/wolfi-dev/os/issues",
"HomeURL": "https://wolfi.dev",
"ID": "wolfi",
"Name": "Wolfi",
"PrettyName": "Wolfi",
"VersionID": "20230201"
}
},
{
"uri": "https://api.github.com/repos/scribe-security/gatekeeper-valint/actions/runs/15465260889/logs",
"digest": {
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"name": "scribe-security/gatekeeper-valint/release/15465260889/call-release ",
"mediaType": "text/plain",
"annotations": {
"ADDED_BY": "platforms",
"build_args": [
"BUILD_DATE=2025-06-05T10:59:13Z",
"BUILD_VERSION=2.0.4",
"VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"VCS_URL=https://github.com/scribe-security/gatekeeper-valint",
"BUILD_VERSION=2.0.4",
"DESCRIPTION=\"Valint",
"PROJECT_NAME=gatekeeper-valint]"
],
"build_log": "β’ running cmd=[docker buildx] cwd=/tmp/goreleaserdocker213353077 args=[--builder default build . --load -t scribesecurity/gatekeeper-valint:v2.0.4 -t scribesecurity/gatekeeper-valint:latest --build-arg=BUILD_DATE=2025-06-05T10:59:13Z --build-arg=BUILD_VERSION=2.0.4 --build-arg=VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e --build-arg=VCS_URL=https://github.com/scribe-security/gatekeeper-valint --build-arg=BUILD_VERSION=2.0.4 --build-arg=DESCRIPTION=\"Valint gatekeeper external data provider\" --build-arg=PROJECT_NAME=gatekeeper-valint]",
"imageID_log": "#13 writing image sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d done",
"log_filepath": "0_call-release _ release.txt",
"workflow_file": "https://github.com/scribe-security/gatekeeper-valint/blob/8845c03b89e38df1d1f3d18268f6253ac5fd190e/.github/workflows/release.yml"
}
},
{
"uri": "scribesecurity/gatekeeper-valint:v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
},
"name": "scribesecurity/gatekeeper-valint:v2.0.4",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"annotations": {
"ADDED_BY": "platforms",
"image_id": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
}
},
{
"uri": "https://github.com/scribe-security/gatekeeper-valint.git",
"digest": {
"sha1": "8845c03b89e38df1d1f3d18268f6253ac5fd190e"
},
"name": "https://github.com/scribe-security/gatekeeper-valint.git",
"mediaType": "application/vnd.in-toto+json",
"annotations": {
"context": {
"actor": "houdini91",
"build_num": "49",
"content_body_type": "cyclonedx-json",
"content_type": "statement-cyclonedx-json",
"context_type": "local",
"dir_id": "sha256:a89281ab7752d169fd47c0d8ac1cbeac701d4f63608774b2ab0e2a6624bedbc4",
"dir_path": "/home/mikey/scribe/platforms_lib/output/clone/15465260889/v2.0.4/8845c03b89e38df1d1f3d18268f6253ac5fd190e/gatekeeper-valint/clone/gatekeeper-valint",
"extra_labels": [
"component-group=packages",
"component-group=dep",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "cyclonedx",
"format_version": "1.5",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"input_name": "https://github.com/scribe-security/gatekeeper-valint.git",
"input_scheme": "git",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=packages",
"component-group=dep",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"predicate_type": "https://cyclonedx.org/bom/v1.5",
"product_version": "v1",
"ref": "113193",
"run_id": "15465260889",
"sbomcomponents": [
"packages",
"dep",
"metadata"
],
"sbomgroup": "git",
"sbomhashs": [
"sha1-8845c03b89e38df1d1f3d18268f6253ac5fd190e"
],
"sbomname": "https://github.com/scribe-security/gatekeeper-valint.git",
"sbompurl": "pkg:git/https%3A/github.com/scribe-security/gatekeeper-valint.git@8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"sbomtype": "file",
"sbomversion": "sha1:8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"store": "scribe",
"target_git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"target_git_ref": "refs/tags/v2.0.4",
"target_git_tag": "v2.0.4",
"target_git_url": "https://github.com/scribe-security/gatekeeper-valint.git",
"target_type": "git",
"timestamp": "2025-06-12T11:48:42+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
},
"ref-id": "113193",
"target-type": "git"
}
},
{
"uri": "https://github.com/scribe-security/gatekeeper-valint.git",
"digest": {
"sha1": "8845c03b89e38df1d1f3d18268f6253ac5fd190e"
},
"name": "https://github.com/scribe-security/gatekeeper-valint.git",
"mediaType": "application/vnd.in-toto+json",
"annotations": {
"context": {
"actor": "houdini91",
"build_num": "49",
"content_body_type": "cyclonedx-json",
"content_type": "statement-cyclonedx-json",
"context_type": "local",
"dir_id": "sha256:a89281ab7752d169fd47c0d8ac1cbeac701d4f63608774b2ab0e2a6624bedbc4",
"dir_path": "/home/mikey/scribe/platforms_lib/output/clone/15465260889/v2.0.4/8845c03b89e38df1d1f3d18268f6253ac5fd190e/gatekeeper-valint/clone/gatekeeper-valint",
"extra_labels": [
"component-group=packages",
"component-group=dep",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "cyclonedx",
"format_version": "1.5",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"input_name": "https://github.com/scribe-security/gatekeeper-valint.git",
"input_scheme": "git",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=packages",
"component-group=dep",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"predicate_type": "https://cyclonedx.org/bom/v1.5",
"product_version": "v1",
"ref": "113193",
"run_id": "15465260889",
"sbomcomponents": [
"packages",
"dep",
"metadata"
],
"sbomgroup": "git",
"sbomhashs": [
"sha1-8845c03b89e38df1d1f3d18268f6253ac5fd190e"
],
"sbomname": "https://github.com/scribe-security/gatekeeper-valint.git",
"sbompurl": "pkg:git/https%3A/github.com/scribe-security/gatekeeper-valint.git@8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"sbomtype": "file",
"sbomversion": "sha1:8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"store": "scribe",
"target_git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"target_git_ref": "refs/tags/v2.0.4",
"target_git_tag": "v2.0.4",
"target_git_url": "https://github.com/scribe-security/gatekeeper-valint.git",
"target_type": "git",
"timestamp": "2025-06-12T11:48:42+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
},
"ref-id": "/home/mikey/.cache/valint/sha1-8845c03b89e38df1d1f3d18268f6253ac5fd190e.bom.statement.json",
"target-type": "git"
}
},
{
"uri": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
},
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"mediaType": "application/vnd.in-toto+json",
"annotations": {
"context": {
"actor": "houdini91",
"asset_id": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"asset_name": "scribesecurity/gatekeeper-valint:v2.0.4",
"asset_type": "image",
"build_num": "49",
"content_body_type": "cyclonedx-json",
"content_type": "statement-cyclonedx-json",
"context_type": "local",
"created": "2025-06-05T11:01:59.058746094Z",
"extra_labels": [
"component-group=base_image",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "slsa",
"format_version": "v1",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"imageID": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"image_name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"input_name": "scribesecurity/gatekeeper-valint",
"input_scheme": "docker",
"input_tag": "v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=base_image",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"platform": "linux/amd64",
"predicate_type": "https://slsa.dev/provenance/v1",
"product_version": "v1",
"ref": "113194",
"repoDigest": [
"scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1"
],
"run_id": "15465260889",
"sbomcomponents": [
"base_image",
"metadata"
],
"sbomgroup": "container",
"sbomhashs": [
"sha256-f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sha256-96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
],
"sbomname": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sbompurl": "pkg:docker/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d?arch=amd64",
"sbomtype": "container",
"sbomversion": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"size": 124078632,
"store": "scribe",
"target_type": "container",
"timestamp": "2025-06-12T11:48:47+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
},
"ref-id": "113194",
"target-type": "container"
}
},
{
"uri": "scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
},
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"mediaType": "application/vnd.in-toto+json",
"annotations": {
"context": {
"actor": "houdini91",
"asset_id": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"asset_name": "scribesecurity/gatekeeper-valint:v2.0.4",
"asset_type": "image",
"build_num": "49",
"content_body_type": "cyclonedx-json",
"content_type": "statement-cyclonedx-json",
"context_type": "local",
"created": "2025-06-05T11:01:59.058746094Z",
"extra_labels": [
"component-group=base_image",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "slsa",
"format_version": "v1",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"imageID": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"image_name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"input_name": "scribesecurity/gatekeeper-valint",
"input_scheme": "docker",
"input_tag": "v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=base_image",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"platform": "linux/amd64",
"predicate_type": "https://slsa.dev/provenance/v1",
"product_version": "v1",
"ref": "113194",
"repoDigest": [
"scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1"
],
"run_id": "15465260889",
"sbomcomponents": [
"base_image",
"metadata"
],
"sbomgroup": "container",
"sbomhashs": [
"sha256-f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sha256-96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
],
"sbomname": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sbompurl": "pkg:docker/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d?arch=amd64",
"sbomtype": "container",
"sbomversion": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"size": 124078632,
"store": "scribe",
"target_type": "container",
"timestamp": "2025-06-12T11:48:47+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
},
"ref-id": "/home/mikey/.cache/valint/sha256-96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d.bom.statement.json",
"target-type": "container"
}
}
]
}
}
}