The SLSA Jenkins plugin generates SLSA provenance attestations for build artifacts.
The plugin provides a Post-build action
which will generate provenance attestations (<artifact-name>.intoto.jsonl
or multiple.intoto.jsonl
) in SLSA format for artifacts that match a given filter after a successful build.
Artifact Filter: Specifies the artifacts to include.
Target Directory: Specifies the directory where generated provenance attestations should be created.
In order to use the plugin with the descriptive pipeline syntax, the following snippet can be added:
...
post {
success {
provenanceRecorder artifactFilter: 'build/libs/**.jar', targetDirectory: 'build/slsa'
}
}
...
Artifact Filter: Specifies the artifacts to include.
Target Directory: Specifies the directory where generated provenance attestations should be created.
- currently only GIT SCM provider is supported
- executed build steps are not yet recorded
- signing of attestations is not yet supported
Licensed under MIT, see LICENSE.