SLSA Provenance Attestation

Jenkins Plugin GitHub release Jenkins Plugin Installs Build Status GitHub license

The SLSA Jenkins plugin generates SLSA provenance attestations for build artifacts.

Job configuration - Freestyle project

The plugin provides a Post-build action which will generate provenance attestations (<artifact-name>.intoto.jsonl or multiple.intoto.jsonl) in SLSA format for artifacts that match a given filter after a successful build.

job configuration

Artifact Filter: Specifies the artifacts to include.

Target Directory: Specifies the directory where generated provenance attestations should be created.

Job configuration - Pipeline project

In order to use the plugin with the descriptive pipeline syntax, the following snippet can be added:

...
post {
    success {
        provenanceRecorder artifactFilter: 'build/libs/**.jar', targetDirectory: 'build/slsa'
    }
}
...

Artifact Filter: Specifies the artifacts to include.

Target Directory: Specifies the directory where generated provenance attestations should be created.

Current limitations

  • currently only GIT SCM provider is supported
  • executed build steps are not yet recorded
  • signing of attestations is not yet supported

LICENSE

Licensed under MIT, see LICENSE.