SLSA Provenance Attestation

Jenkins Plugin GitHub release Jenkins Plugin Installs Build Status GitHub license

The SLSA Jenkins plugin generates SLSA provenance attestations for build artifacts.

Job configuration - Freestyle project

The plugin provides a Post-build action which will generate provenance attestations (<artifact-name>.intoto.jsonl or multiple.intoto.jsonl) in SLSA format for artifacts that match a given filter after a successful build.

job configuration

Artifact Filter: Specifies the artifacts to include.

Target Directory: Specifies the directory where generated provenance attestations should be created.

Job configuration - Pipeline project

In order to use the plugin with the descriptive pipeline syntax, the following snippet can be added:

...
post {
    success {
        provenanceRecorder artifactFilter: 'build/libs/**.jar', targetDirectory: 'build/slsa'
    }
}
...

Artifact Filter: Specifies the artifacts to include.

Target Directory: Specifies the directory where generated provenance attestations should be created.

Current limitations

  • currently only GIT SCM provider is supported
  • executed build steps are not yet recorded
  • signing of attestations is not yet supported

LICENSE

Licensed under MIT, see LICENSE.

Version: 40.v733b_0005fa_fd
Released:
Requires Jenkins 2.361.4
ID: slsa
Installed on 0.0013% of instances
View detailed version information
Links
GitHub
Open issues (Github)
Report an issue (Github)
Pipeline Step Reference
Javadoc
Labels
This plugin has no labels
Maintainers
Thomas Neidhart
Help us improve this page!
To propose a change submit a pull request to the plugin page on GitHub.