Skip to content

Week 20 - SLSA, Provenance, and Reproducibility

20.1 Conceptual Core

  • SLSA (Supply chain Levels for Software Artifacts) is a graduated maturity model for build-pipeline integrity. Levels 1–4:
  • L1: Build process documented; provenance recorded.
  • L2: Hosted build service; signed provenance.
  • L3: Hardened, isolated builds; non-falsifiable provenance.
  • L4: Two-party review; reproducible.
  • Most production CI/CD pipelines reach L2 with effort, L3 with discipline. L4 is rare.
  • Provenance-a signed attestation describing how an artifact was built: source repo, commit, builder identity, build invocation, dependencies. The SLSA Provenance v1.0 schema is the standard.

20.2 Mechanical Detail

  • GitHub Actions has a built-in OIDC token that includes the workflow's repo + ref + sha. slsa-github-generator consumes this to produce SLSA L3 provenance for releases.
  • The cosign attest --type slsaprovenance flow attaches the provenance to the image.
  • Reproducibility-ideally every commit produces a byte-identical artifact. goreleaser supports this; buildah --source-date-epoch plus pinned base images plus deterministic file ordering plus no embedded build host info makes it possible.

20.3 Lab-"SLSA L3 in CI"

  1. Set up a GitHub Actions workflow that builds, scans, signs, and produces SLSA L3 provenance for an image on every release tag.
  2. Verify end-to-end: pull the image, retrieve its attestations, validate the provenance points back to the correct commit and CI run.
  3. Reproducibility: rebuild the same tag from a fresh runner; verify image digest stability.

20.4 Hardening Drill

  • Document the kill chain: an attacker compromises which exact thing in your pipeline, and what does each SLSA level actually mitigate? Be concrete.

20.5 Production Readiness Slice

  • Promotion gate: a Kubernetes admission policy (Kyverno, OPA, or policy-controller) that requires SLSA L3 provenance from your CI's identity for any production deploy.

Month 5 Capstone Deliverable

A supply-chain/ workspace: 1. sbom-pipeline/ - week 17 SBOM generation + attachment + diff tooling. 2.vuln-triage/ - week 18 scanner config + VEX statements. 3. cosign-flow/ - week 19 signing + admission verification. 4.slsa-l3/ - week 20 reproducible reproducible build with verified provenance.

A SUPPLY_CHAIN.md documenting the full provenance flow from source commit to running container.

Comments