Skip to main content

SLSA L1 & L2 Provenance from Logs

Scribe simplifies the generation of SLSA Level 1 & Level 2 provenance for container images at scale, without requiring any changes to your existing pipelines. Instead of embedding provenance generators in each CI job, Scribe combines Scribe Platforms’ posture attestations with build-log analysis from GitHub Actions and other supported systems to produce complete provenance statements automatically.

πŸ” Overview​

At the heart of this feature is the automated creation of rich, SLSA-compliant provenance documents. These provenance statements are structured, verifiable attestations that include detailed information extracted from:

  • The source code repository and its history (via GitHub SCM APIs)
  • The container image build targets (e.g., image digests, tags, IDs)
  • CI systems and log (timestamps, runners, inputs)
  • Associated SBOMs β€” linking both the source and built image artifacts as evidence

βœ… When to Use​

  • You cannot modify the CI pipelines due to authority or scale
  • You want SLSA provenance but cannot modify the CI pipelines
  • You want to verify builds retroactively (e.g., last 30 days)
  • You operate across 10s or 100s of repositories
  • You want SLSA Level 1 (unsigned) or Level 2 (signed) as structured, independently validated evidence

πŸš€ SLSA Levels Explained with Scribe​

Scribe’s platforms discover command automatically creates SLSA provenance for each image build it detects. The SLSA level producedβ€”Level 1 or Level 2β€”depends solely on whether the provenance is cryptographically signed.

  • SLSA Level 1 (Unsigned Provenance): This level of provenance is generated by default when you use platforms discover. It captures essential information about the build process, as extracted from logs, but the provenance statement itself is not cryptographically signed. This provides a valuable, machine-readable record of the build, offering transparency and traceability.

  • SLSA Level 2 (Signed Provenance): To achieve SLSA Level 2, the provenance generated by platforms discover must be cryptographically signed by a trusted entity. Scribe facilitates this through the --valint.sign flag, which integrates with a signing capability (like Scribe Hub's attestation signing capability). Signing the provenance provides strong assurance that the provenance has not been tampered with and that it originates from a verified source.

πŸ› οΈ What Scribe Platforms Does Under the Hood​

Behind the scenes, Scribe Platforms performs several steps to turn raw workflow logs into SLSA-compliant provenance:

  • Analyze GitHub Actions logs across multiple repositories
    Detects every image build (Docker, Buildah, Podman) without altering your pipelines.
  • Extract critical build metadata automatically
    Pulls builder, tag, digest, and timestamp information straight from the logs.
  • Generate and Link SBOM evidence
    Generate Associates both source-code and image SBOMs with the build for end-to-end traceability.
  • Generate in-toto SLSA statements (L1 or L2)
    Produces valid provenance, optionally signing it when --valint.sign is enabled.
  • Run SLSA-compliance initiatives
    Once each provenance file is written, Scribe automatically executes the matching policy-as-code initiative (slsa.l1 for unsigned L1, slsa.l2 for signed L2).
    The initiative verifies the evidence set, emits a SARIF report, andβ€”when applicableβ€”signs that report before attaching it as additional evidence.
  • Execute SLSA Compliance Initiatives After provenance generation, Scribe automatically applies relevant policy-as-code initiatives (slsa.l1 or slsa.l2). These initiatives validate the evidence, generate a SARIF report detailing compliance status, and (for Level 2) sign this report as additional, verifiable evidence.

πŸ§ͺ Example Usage L1 (Unsigned Provenance)​

The following command will generate SLSA Level 1 provenance. The provenance document will contain rich build metadata but will not be cryptographically signed.

platforms discover github \
--scope.organization scribe-security \
--scope.repository "valint" \
--repository.mapping *::valint_slsa::v1 \
--commit.skip \
--slsa-enable \
--slsa.tags-only

This command will:

  • Scan recent GitHub workflows for the scribe-security organization.
  • Match release workflows from valint repositories.
  • Extract image build metadata from logs.
  • Generate SLSA Level 1 provenance (unsigned).
  • Include links to source and image SBOMs.
  • Export the evidence under product key valint_slsa with version v1.

πŸ§ͺ Example Usage L2 (Signed Provenance)​

To generate SLSA Level 2 provenance, you need to sign the provenance statement. This is done by adding the --valint.sign flag. This typically requires integration with a signing service (e.g., Scribe Hub's attestation signing).

platforms discover --valint.sign github \
--scope.organization scribe-security \
--scope.repository "valint" \
--repository.mapping *::valint_slsa::v1 \
--commit.skip \
--slsa-enable \
--slsa.tags-only

This command will:

  • Perform all actions of the L1 example.
  • Additionally, it will cryptographically sign the generated SLSA provenance statements, elevating them to SLSA Level 2.

πŸ” Example GitHub Actions Workflow​

ℹ️ Tip: It's recommended to schedule this workflow (instead of running manually) to ensure timely collection of logs before GitHub Actions deletes them (typically after 90 days).

You can also run the discover command from within GitHub Actions using the Scribe Security GitHub Action:

Click to view GitHub Actions workflow example
name: Discover SLSA Provenance from GitHub

on:
schedule:
- cron: '0 4 * * *' # Runs daily at 04:00 UTC
workflow_dispatch:

permissions:
id-token: write # Allows Sigstore signing via GitHub OIDC identity
contents: read

jobs:
discover-slsa:
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT_TOKEN }}
SCRIBE_TOKEN: ${{ secrets.GH_CI_DEV_SCRIBE_SECRET }}
steps:
- name: Discover GitHub Provenance
uses: scribe-security/action-platforms@dev
with:
command: discover
platform: github
sign: true # required for SLSA Level 2
slsa: true
args: >-
--slsa-enable
--slsa.tags-only
--scope.organization=scribe-security
--scope.repository=valint
--organization.mapping=scribe-security::valint_slsa::v1
--repository.mapping=scribe-security*valint::valint_slsa::v1

πŸ“‚ Key Flags​

FlagDescription
--slsa-enableEnable SLSA provenance extraction and export
--valint.sign(For SLSA L2) Enables cryptographic signing of the generated SLSA provenance. This typically requires configuration for a signing backend (e.g., X509 Keys, Sigstore - GitHub's OIDC, or an external KMS).
--slsa.tags-onlyLimit to tag-based builds only
--slsa.all-versionsInclude SLSA Provenance evidence for all published images (all versions) rather than just the latest for each tag. By default, only the latest image provenance is included.
--slsa.scope.branchRestrict provenance to specific branches
--slsa.scope.tagRestrict provenance to matching tags
--slsa.scope.workflowRestrict provenance to named workflows/jobs
--slsa.scope.imageRestrict provenance to particular image names/repositories
--repository.mappingAssign product key for evidence export
--skip-cacheForce recomputation even if cached results exist

πŸ”’ Proving SLSA Compliance with Policy-as-Code Initiatives​

After Scribe generates SLSA provenance for your container images, it automatically takes a critical extra step: it runs policy-as-code initiatives against the provenance and its associated evidence. This provides a robust, verifiable way to demonstrate SLSA compliance.

What are Scribe Initiatives?​

Scribe Initiatives are predefined or custom sets of policy rules that evaluate your software supply chain's compliance. For SLSA, Scribe offers specific initiatives to verify various aspects of your provenance and its linked SBOMs (Software Bill of Materials) for both source and image.

These initiatives check for things like:

  • The existence and integrity of the provenance document and its linked SBOMs.
  • That critical fields in the provenance (e.g., builder identity, source repository) match expected values.
  • For SLSA Level 2, that both the provenance and the resulting SARIF (Static Analysis Results Interchange Format) compliance report are cryptographically signed, ensuring their authenticity.

The outcome of these evaluations is a SARIF report. This report details your compliance status, highlights any policy deviations, and links back to all relevant evidence. For SLSA Level 2, this SARIF report is also signed, adding another layer of verifiable assurance.

This automated verification and reporting gives you:

  • Robust Compliance Proof: Independently validated evidence of your SLSA adherence.
  • End-to-End Traceability: Links all artifacts and reports directly to the build process.
  • Streamlined Auditing: A standardized, machine-readable format for compliance reporting.

Further Reading and Resources​

For more details on Scribe's policy-as-code initiatives and their role in SLSA compliance, explore these resources:

🚧 What's Collected in the Provenance Attestation​

  • subject: Captures the single output artifact of the buildβ€”its full image reference plus a SHA-256 digest (the cryptographic hash that uniquely fingerprints the image).
    This hash ties the provenance unambiguously to that exact image, even if the tag is later reused.

    Note: If a workflow emits multiple images, Scribe generates one provenance statement per image.

  • predicate.buildDefinition: Describes how the artifact was built. This includes:

    • Build System Details: Information about the CI/CD platform used (e.g., GitHub Actions workflow file, specific job, and run ID).
    • Source Code: The exact Git repository URL, commit SHA, and branch/tag that was built. ** Build Parameters – External inputs such ad Docker build arguments and the names of all repository-level secrets that were available to the job (values are never stored).
    • Resolved Dependencies: A comprehensive list of all inputs consumed by the build, including base images (Image SBOM source), third-party actions (Log Source), and tools.
  • predicate.runDetails: Details what happened during the build execution. This covers:

    • Builder Identity: A precise reference to the specific workflow definition or builder tool that orchestrated the build.
    • Execution Metadata: Timestamps for the start and end of the build, along with a unique invocation ID.
    • Byproducts: Additional artifacts produced during the build that contribute to the overall evidence. This includes references to build logs, intermediate container layers, and the generated Image SBOMs, linking them to their corresponding digests and relevant build context.

For a full example, see Appendix A - Provenance Example.

πŸ›Œ Compatibility​

Log Sources

  • GitHub Actions

Build Tools

  • Docker
  • Podman
  • Buildah

Appendix A - Provenance Example​

SLSA Provenance example
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1"
}
},
{
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
}
},
{
"name": "scribe://target/",
"digest": {
"sha256": "7f7cb3f64eedcf3c4f90545dd611bf739b7e990584995143bc61f97aeaa7dc71"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://docs.scribesecurity.com/buildtypes/github-workflow/v1",
"externalParameters": {
"context": {
"ADDED_BY": "platforms",
"event": "push",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"repository": "https://github.com/scribe-security/gatekeeper-valint",
"run_name": "release",
"source_git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git"
},
"head_commit": {
"author": {
"email": "mdstrauss91@gmail.com",
"name": "houdini91"
},
"committer": {
"email": "mdstrauss91@gmail.com",
"name": "houdini91"
},
"id": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"message": "upstream",
"timestamp": "2025-06-05T10:57:04Z",
"tree_id": "60391731fb5752c01eaeb94a0f6252789bb08759"
},
"pipeline": {
"actor": "houdini91",
"build_num": "49",
"job": "call-release ",
"run_id": "15465260889",
"type": "github",
"workflow": "release"
},
"source": {
"digest": {
"sha1": "8845c03b89e38df1d1f3d18268f6253ac5fd190e"
},
"uri": "git:https://github.com/scribe-security/gatekeeper-valint.git@refs/tags/v2.0.4"
}
},
"internalParameters": {
"build": {
"build_args": [
"BUILD_DATE=2025-06-05T10:59:13Z",
"BUILD_VERSION=2.0.4",
"VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"VCS_URL=https://github.com/scribe-security/gatekeeper-valint",
"BUILD_VERSION=2.0.4",
"DESCRIPTION=\"Valint",
"PROJECT_NAME=gatekeeper-valint]"
],
"build_log": "β€’ running cmd=[docker buildx] cwd=/tmp/goreleaserdocker213353077 args=[--builder default build . --load -t scribesecurity/gatekeeper-valint:v2.0.4 -t scribesecurity/gatekeeper-valint:latest --build-arg=BUILD_DATE=2025-06-05T10:59:13Z --build-arg=BUILD_VERSION=2.0.4 --build-arg=VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e --build-arg=VCS_URL=https://github.com/scribe-security/gatekeeper-valint --build-arg=BUILD_VERSION=2.0.4 --build-arg=DESCRIPTION=\"Valint gatekeeper external data provider\" --build-arg=PROJECT_NAME=gatekeeper-valint]",
"secret_list": [
"SCRIBE_DEV_M2M_CLIENT_ID",
"SCRIBE_DEV_M2M_CLIENT_SECRET",
"SCRIBE_STAGING_M2M_CLIENT_ID",
"SCRIBE_STAGING_M2M_CLIENT_SECRET"
]
},
"context": {
"actor": "houdini91",
"asset_id": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"asset_name": "scribesecurity/gatekeeper-valint:v2.0.4",
"asset_type": "image",
"build_num": "49",
"content_body_type": "slsa",
"content_type": "statement-slsa",
"context_type": "local",
"created": "2025-06-05T11:01:59.058746094Z",
"extra_labels": [
"component-group=base_image",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "slsa",
"format_version": "v1",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"imageID": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"image_name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"input_name": "scribesecurity/gatekeeper-valint",
"input_scheme": "docker",
"input_tag": "v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=base_image",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"platform": "linux/amd64",
"predicate_type": "https://slsa.dev/provenance/v1",
"product_version": "v1",
"repoDigest": [
"scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1"
],
"run_id": "15465260889",
"sbomcomponents": [
"base_image",
"metadata"
],
"sbomgroup": "container",
"sbomhashs": [
"sha256-f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sha256-96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
],
"sbomname": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sbompurl": "pkg:docker/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d?arch=amd64",
"sbomtype": "container",
"sbomversion": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"size": 124078632,
"target_type": "container",
"timestamp": "2025-06-12T11:48:47+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
}
},
"resolvedDependencies": [
{
"uri": "git:https://github.com/scribe-security/gatekeeper-valint.git@refs/tags/v2.0.4",
"digest": {
"sha1": "8845c03b89e38df1d1f3d18268f6253ac5fd190e"
},
"name": "refs/tags/v2.0.4",
"annotations": {
"branch": "v2.0.4",
"tag": ""
}
},
{
"uri": "scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"annotations": {
"ADDED_BY": "valint",
"SBOM_METADATA": {
"OS": "linux",
"actor": "houdini91",
"architecture": "amd64",
"build_num": "49",
"context_type": "local",
"created": "2025-06-05T11:01:59.058746094Z",
"entrypoint": "/home/scribe/docker/entrypoint.sh, /home/scribe/${PROJECT_NAME}",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"imageEnvironment_0": "PATH=/home/scribe/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"imageEnvironment_1": "PROJECT_NAME=gatekeeper-valint",
"imageID": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"imageUser": "65532:65532",
"input_name": "scribesecurity/gatekeeper-valint",
"input_scheme": "docker",
"input_tag": "v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"job_name": "call-release ",
"label_io.artifacthub.package.license": "Apache-2.0",
"label_io.artifacthub.package.name": "gatekeeper-valint",
"label_io.artifacthub.package.readme-url": "https://raw.githubusercontent.com/scribe-security/gatekeeper-valint/README.md",
"label_io.artifacthub.package.vendor": "Scribe security, Inc.",
"label_org.opencontainers.image.created": "2025-06-05T10:59:13Z",
"label_org.opencontainers.image.description": "\"Valint gatekeeper external data provider\"",
"label_org.opencontainers.image.revision": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"label_org.opencontainers.image.source": "https://github.com/scribe-security/gatekeeper-valint",
"label_org.opencontainers.image.title": "gatekeeper-valint",
"label_org.opencontainers.image.vendor": "Scribe security, Inc.",
"label_org.opencontainers.image.version": "2.0.4",
"labels_0": "platform=github",
"labels_1": "asset_type=slsa_target",
"labels_2": "parent-asset-id=scribe-security/gatekeeper-valint",
"labels_3": "parent-asset-type=repository",
"labels_4": "parent-asset-name=gatekeeper-valint",
"labels_5": "cache_key=15465260889",
"manifest-digest": "sha256:94023f7bbe13163404aada47909e965ee98addd9b65edc805d293235be582596",
"media-type": "application/vnd.docker.distribution.manifest.v2+json",
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"product_version": "v1",
"registry_location": "index.docker.io",
"registry_scheme": "https",
"repoDigest_0": "scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"run_id": "15465260889",
"size": "124078632",
"target_type": "container",
"timestamp": "2025-06-12T11:48:47+03:00",
"user": "mikey",
"workflow": "release"
}
}
},
{
"uri": "https://github.com/actions/checkout",
"digest": {
"sha1": "942562b9c7d4b1f2557f1da21f4d3eb4eb4fd01f2ad78b2a6e187d1b193e0a0f"
},
"name": "actions/checkout@v3",
"annotations": {
"action_ref": "v3",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"clean": "true",
"fetch-depth": "0",
"fetch-tags": "false",
"lfs": "false",
"persist-credentials": "true",
"repository": "scribe-security/gatekeeper-valint",
"set-safe-directory": "true",
"sparse-checkout-cone-mode": "true",
"ssh-strict": "true",
"submodules": "false",
"token": "***"
},
"version": "3.6.0"
}
},
{
"uri": "https://github.com/actions/setup-go",
"digest": {
"sha1": "1b5ba729a06c8434c34b6776887b6934e562a955369e9f11807883dd5e99cd81"
},
"name": "actions/setup-go@v3",
"annotations": {
"action_ref": "v3",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"cache": "false",
"check-latest": "false",
"go-version": "1.21",
"token": "***"
},
"version": "3.6.1"
}
},
{
"uri": "https://github.com/actions/cache",
"digest": {
"sha1": "912f76fb11db1ca09ae23248a39eb86e79ea0f0f6e183d9cb96d0b778eeea4e2"
},
"name": "actions/cache@v3",
"annotations": {
"action_ref": "v3",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"enableCrossOsArchive": "false",
"fail-on-cache-miss": "false",
"key": "Linux-go-1.21-14fb4d3c9f15f444578334a60ca0e69141dd77054775852da7ca35a3e2e5f96e",
"lookup-only": "false",
"path": "~/go/pkg/mod",
"restore-keys": "Linux-go-1.21-"
},
"version": "3.4.3"
}
},
{
"uri": "https://github.com/docker/login-action",
"digest": {
"sha1": "074da69a9e77797ae469f40db0f64632c02629b61bfa229f2fa803f41a464283"
},
"name": "docker/login-action@v2",
"annotations": {
"action_ref": "v2",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"ecr": "auto",
"logout": "true",
"password": "***",
"username": "scribesecurity"
},
"version": "2.2.0"
}
},
{
"uri": "https://github.com/actions/upload-artifact",
"digest": {
"sha1": "290722aa3281d5caf23d0acdc3dbeb3424786a1a01a9cc97e72f147225e37c38"
},
"name": "actions/upload-artifact@v4",
"annotations": {
"action_ref": "v4",
"action_ref_type": "major",
"env": {
"ARTIFACTORY_URL": "https://scribesecuriy.jfrog.io",
"GOPRIVATE": "github.com/scribe-security/*",
"GO_VERSION": "1.21"
},
"inputs": {
"compression-level": "6",
"if-no-files-found": "warn",
"include-hidden-files": "false",
"name": "artifacts",
"overwrite": "false",
"path": "dist/**/*"
},
"version": "4.6.2"
}
}
]
},
"runDetails": {
"builder": {
"id": "https://github.com/scribe-security/gatekeeper-valint/blob/8845c03b89e38df1d1f3d18268f6253ac5fd190e/.github/workflows/release.yml",
"builderDependencies": [
{
"uri": "https://scribesecuriy.jfrog.io/scribe-docker-public-local/valint:2.0.0-3-SNAPSHOT-a1e7b37",
"name": "valint",
"annotations": {
"ADDED_BY": "valint",
"vendor": "Scribe security, Inc",
"version": "2.0.0-3-SNAPSHOT-a1e7b37"
}
}
]
},
"metadata": {
"invocationID": "15465260889",
"startedOn": "2025-06-05T10:57:25Z",
"finishedOn": "2025-06-05T10:57:25Z"
},
"byproducts": [
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A7483facda2dd4ca8c8ec97443ccac2dbb8202c11a80bd2032c532f3e42b2a22e?index=0",
"digest": {
"sha256": "7483facda2dd4ca8c8ec97443ccac2dbb8202c11a80bd2032c532f3e42b2a22e"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "COPY /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt # buildkit",
"index": "0",
"size": "221335"
}
},
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A73d4c6ce708fe21d12ec8dc1bb9d293564b5af387e52b540b1290bdaaf648097?index=1",
"digest": {
"sha256": "73d4c6ce708fe21d12ec8dc1bb9d293564b5af387e52b540b1290bdaaf648097"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "COPY / / # buildkit",
"index": "1",
"size": "28812158"
}
},
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A6a796d2334354cef859a961595c4b6688c57d28426ea7e81c46794f98ddf22f8?index=2",
"digest": {
"sha256": "6a796d2334354cef859a961595c4b6688c57d28426ea7e81c46794f98ddf22f8"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "RUN |6 DESCRIPTION=\"Valint gatekeeper external data provider\" BUILD_DATE=2025-06-05T10:59:13Z BUILD_VERSION=2.0.4 VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e VCS_URL=https://github.com/scribe-security/gatekeeper-valint PROJECT_NAME=gatekeeper-valint /bin/sh -c /bin/mkdir -p /etc/scribe/keys /home/scribe/ # buildkit",
"index": "2",
"size": "0"
}
},
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3Af48ae6c678043a30b5faff13298cf1e6db0c82d5ae7e1ef89b0c4225f97960f4?index=3",
"digest": {
"sha256": "f48ae6c678043a30b5faff13298cf1e6db0c82d5ae7e1ef89b0c4225f97960f4"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "COPY . /home/scribe/ # buildkit",
"index": "3",
"size": "95045139"
}
},
{
"uri": "pkg:layer/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef?index=4",
"digest": {
"sha256": "5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
},
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"annotations": {
"ADDED_BY": "valint",
"CreatedBy": "WORKDIR /home/scribe/",
"index": "4",
"size": "0"
}
},
{
"uri": "pkg:OS/wolfi@20230201",
"name": "wolfi",
"annotations": {
"ADDED_BY": "valint",
"BugReportURL": "https://github.com/wolfi-dev/os/issues",
"HomeURL": "https://wolfi.dev",
"ID": "wolfi",
"Name": "Wolfi",
"PrettyName": "Wolfi",
"VersionID": "20230201"
}
},
{
"uri": "https://api.github.com/repos/scribe-security/gatekeeper-valint/actions/runs/15465260889/logs",
"digest": {
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"name": "scribe-security/gatekeeper-valint/release/15465260889/call-release ",
"mediaType": "text/plain",
"annotations": {
"ADDED_BY": "platforms",
"build_args": [
"BUILD_DATE=2025-06-05T10:59:13Z",
"BUILD_VERSION=2.0.4",
"VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"VCS_URL=https://github.com/scribe-security/gatekeeper-valint",
"BUILD_VERSION=2.0.4",
"DESCRIPTION=\"Valint",
"PROJECT_NAME=gatekeeper-valint]"
],
"build_log": "β€’ running cmd=[docker buildx] cwd=/tmp/goreleaserdocker213353077 args=[--builder default build . --load -t scribesecurity/gatekeeper-valint:v2.0.4 -t scribesecurity/gatekeeper-valint:latest --build-arg=BUILD_DATE=2025-06-05T10:59:13Z --build-arg=BUILD_VERSION=2.0.4 --build-arg=VCS_REF=8845c03b89e38df1d1f3d18268f6253ac5fd190e --build-arg=VCS_URL=https://github.com/scribe-security/gatekeeper-valint --build-arg=BUILD_VERSION=2.0.4 --build-arg=DESCRIPTION=\"Valint gatekeeper external data provider\" --build-arg=PROJECT_NAME=gatekeeper-valint]",
"imageID_log": "#13 writing image sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d done",
"log_filepath": "0_call-release _ release.txt",
"workflow_file": "https://github.com/scribe-security/gatekeeper-valint/blob/8845c03b89e38df1d1f3d18268f6253ac5fd190e/.github/workflows/release.yml"
}
},
{
"uri": "scribesecurity/gatekeeper-valint:v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
},
"name": "scribesecurity/gatekeeper-valint:v2.0.4",
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"annotations": {
"ADDED_BY": "platforms",
"image_id": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
}
},
{
"uri": "https://github.com/scribe-security/gatekeeper-valint.git",
"digest": {
"sha1": "8845c03b89e38df1d1f3d18268f6253ac5fd190e"
},
"name": "https://github.com/scribe-security/gatekeeper-valint.git",
"mediaType": "application/vnd.in-toto+json",
"annotations": {
"context": {
"actor": "houdini91",
"build_num": "49",
"content_body_type": "cyclonedx-json",
"content_type": "statement-cyclonedx-json",
"context_type": "local",
"dir_id": "sha256:a89281ab7752d169fd47c0d8ac1cbeac701d4f63608774b2ab0e2a6624bedbc4",
"dir_path": "/home/mikey/scribe/platforms_lib/output/clone/15465260889/v2.0.4/8845c03b89e38df1d1f3d18268f6253ac5fd190e/gatekeeper-valint/clone/gatekeeper-valint",
"extra_labels": [
"component-group=packages",
"component-group=dep",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "cyclonedx",
"format_version": "1.5",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"input_name": "https://github.com/scribe-security/gatekeeper-valint.git",
"input_scheme": "git",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=packages",
"component-group=dep",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"predicate_type": "https://cyclonedx.org/bom/v1.5",
"product_version": "v1",
"ref": "113193",
"run_id": "15465260889",
"sbomcomponents": [
"packages",
"dep",
"metadata"
],
"sbomgroup": "git",
"sbomhashs": [
"sha1-8845c03b89e38df1d1f3d18268f6253ac5fd190e"
],
"sbomname": "https://github.com/scribe-security/gatekeeper-valint.git",
"sbompurl": "pkg:git/https%3A/github.com/scribe-security/gatekeeper-valint.git@8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"sbomtype": "file",
"sbomversion": "sha1:8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"store": "scribe",
"target_git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"target_git_ref": "refs/tags/v2.0.4",
"target_git_tag": "v2.0.4",
"target_git_url": "https://github.com/scribe-security/gatekeeper-valint.git",
"target_type": "git",
"timestamp": "2025-06-12T11:48:42+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
},
"ref-id": "113193",
"target-type": "git"
}
},
{
"uri": "https://github.com/scribe-security/gatekeeper-valint.git",
"digest": {
"sha1": "8845c03b89e38df1d1f3d18268f6253ac5fd190e"
},
"name": "https://github.com/scribe-security/gatekeeper-valint.git",
"mediaType": "application/vnd.in-toto+json",
"annotations": {
"context": {
"actor": "houdini91",
"build_num": "49",
"content_body_type": "cyclonedx-json",
"content_type": "statement-cyclonedx-json",
"context_type": "local",
"dir_id": "sha256:a89281ab7752d169fd47c0d8ac1cbeac701d4f63608774b2ab0e2a6624bedbc4",
"dir_path": "/home/mikey/scribe/platforms_lib/output/clone/15465260889/v2.0.4/8845c03b89e38df1d1f3d18268f6253ac5fd190e/gatekeeper-valint/clone/gatekeeper-valint",
"extra_labels": [
"component-group=packages",
"component-group=dep",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "cyclonedx",
"format_version": "1.5",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"input_name": "https://github.com/scribe-security/gatekeeper-valint.git",
"input_scheme": "git",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=packages",
"component-group=dep",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"predicate_type": "https://cyclonedx.org/bom/v1.5",
"product_version": "v1",
"ref": "113193",
"run_id": "15465260889",
"sbomcomponents": [
"packages",
"dep",
"metadata"
],
"sbomgroup": "git",
"sbomhashs": [
"sha1-8845c03b89e38df1d1f3d18268f6253ac5fd190e"
],
"sbomname": "https://github.com/scribe-security/gatekeeper-valint.git",
"sbompurl": "pkg:git/https%3A/github.com/scribe-security/gatekeeper-valint.git@8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"sbomtype": "file",
"sbomversion": "sha1:8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"store": "scribe",
"target_git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"target_git_ref": "refs/tags/v2.0.4",
"target_git_tag": "v2.0.4",
"target_git_url": "https://github.com/scribe-security/gatekeeper-valint.git",
"target_type": "git",
"timestamp": "2025-06-12T11:48:42+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
},
"ref-id": "/home/mikey/.cache/valint/sha1-8845c03b89e38df1d1f3d18268f6253ac5fd190e.bom.statement.json",
"target-type": "git"
}
},
{
"uri": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
},
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"mediaType": "application/vnd.in-toto+json",
"annotations": {
"context": {
"actor": "houdini91",
"asset_id": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"asset_name": "scribesecurity/gatekeeper-valint:v2.0.4",
"asset_type": "image",
"build_num": "49",
"content_body_type": "cyclonedx-json",
"content_type": "statement-cyclonedx-json",
"context_type": "local",
"created": "2025-06-05T11:01:59.058746094Z",
"extra_labels": [
"component-group=base_image",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "slsa",
"format_version": "v1",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"imageID": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"image_name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"input_name": "scribesecurity/gatekeeper-valint",
"input_scheme": "docker",
"input_tag": "v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=base_image",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"platform": "linux/amd64",
"predicate_type": "https://slsa.dev/provenance/v1",
"product_version": "v1",
"ref": "113194",
"repoDigest": [
"scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1"
],
"run_id": "15465260889",
"sbomcomponents": [
"base_image",
"metadata"
],
"sbomgroup": "container",
"sbomhashs": [
"sha256-f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sha256-96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
],
"sbomname": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sbompurl": "pkg:docker/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d?arch=amd64",
"sbomtype": "container",
"sbomversion": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"size": 124078632,
"store": "scribe",
"target_type": "container",
"timestamp": "2025-06-12T11:48:47+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
},
"ref-id": "113194",
"target-type": "container"
}
},
{
"uri": "scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"digest": {
"sha256": "96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
},
"name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"mediaType": "application/vnd.in-toto+json",
"annotations": {
"context": {
"actor": "houdini91",
"asset_id": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"asset_name": "scribesecurity/gatekeeper-valint:v2.0.4",
"asset_type": "image",
"build_num": "49",
"content_body_type": "cyclonedx-json",
"content_type": "statement-cyclonedx-json",
"context_type": "local",
"created": "2025-06-05T11:01:59.058746094Z",
"extra_labels": [
"component-group=base_image",
"component-group=metadata"
],
"format_encoding": "json",
"format_type": "slsa",
"format_version": "v1",
"git_branch": "v2.0.4",
"git_commit": "8845c03b89e38df1d1f3d18268f6253ac5fd190e",
"git_ref": "refs/tags/v2.0.4",
"git_url": "git:https://github.com/scribe-security/gatekeeper-valint.git",
"hostname": "mikey-laptop",
"imageID": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"image_name": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"input_name": "scribesecurity/gatekeeper-valint",
"input_scheme": "docker",
"input_tag": "v2.0.4@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"job_name": "call-release ",
"labels": [
"platform=github",
"asset_type=slsa_target",
"parent-asset-id=scribe-security/gatekeeper-valint",
"parent-asset-type=repository",
"parent-asset-name=gatekeeper-valint",
"cache_key=15465260889",
"component-group=base_image",
"component-group=metadata"
],
"name": "slsa_test_jun_11",
"organization": "scribe-security",
"platform": "linux/amd64",
"predicate_type": "https://slsa.dev/provenance/v1",
"product_version": "v1",
"ref": "113194",
"repoDigest": [
"scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1"
],
"run_id": "15465260889",
"sbomcomponents": [
"base_image",
"metadata"
],
"sbomgroup": "container",
"sbomhashs": [
"sha256-f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sha256-96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d"
],
"sbomname": "index.docker.io/scribesecurity/gatekeeper-valint@sha256:f27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1",
"sbompurl": "pkg:docker/index.docker.io/scribesecurity/gatekeeper-valint%40sha256%3Af27e22476ce83e2c3b2230cb7b4895f004ba73c9b8ebc77a9124540bd97039f1@sha256%3A96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d?arch=amd64",
"sbomtype": "container",
"sbomversion": "sha256:96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d",
"size": 124078632,
"store": "scribe",
"target_type": "container",
"timestamp": "2025-06-12T11:48:47+03:00",
"tool": "valint",
"tool_vendor": "Scribe Security",
"tool_version": "2.0.0-3-SNAPSHOT-a1e7b37",
"user": "mikey",
"workflow": "release"
},
"ref-id": "/home/mikey/.cache/valint/sha256-96831112f2b469894bc90f923b1e61a2cb486219d561b27fe5b92a5b3596b73d.bom.statement.json",
"target-type": "container"
}
}
]
}
}
}