Track SLSA level of your Project
How to generate SLSA provenance and how to add it to your Chainloop workflow.
This feature is only available on Chainloop’s platform paid plans.
With Chainloop, you can continuously evaluate SLSA compliance posture of your projects in three steps:
- Configure your Chainloop Workflow to use the slsa-checks policy group and attach the SLSA framework to your project.
- Craft a SLSA provenance in your CI system and send it to Chainloop.
- Verify SLSA compliance using Chainloop platform.
1 - Configure your Chainloop Workflow
We start by configuring Chainloop Workflow (full docs available here). We assume you already have chainloop command line tool available in your local environment (if you don’t have a look at the installation docs:
We created a new workflow, but it is empty for now meaning that it doesn’t have any kind of materials. We should add any binaries, container images, SLSA attestations and any kind of Chainloop supported material to our contact. We do this by using the following command (you can see an example contract by looking at the example file available in GitHub):
The above example is a generic one, but for a very simple contract that includes a single container image and a SLSA provenance file we could go with a following contract definition:
The above contract file specifies two materials - a CONTAINER_IMAGE representing our container image and the SLSA_PROVENANCE representing
the SLSA provenance. We can add them during the build. We also included the policyGroups section and referenced the slsa-checks to include SLSA
attestation in our workflow.
2 - Include SLSA Attestation in Your GitHub Build
The following section assumes you are using GitHub actions as your build platform. More platforms are in the works, if you can’t see yours, please contact us.
To include SLSA attestation in your build and use it in the Chainloop platform, you need to modify the workflow file to craft the SLSA provenance object and send it to Chainloop as an attached material, using access to the binaries produced during the build process.
We will be using the official attest-build-provenance GitHub action to generate the SLSA provenance and we assume that our build produces a single binary called main and puts it in the build directory.
First, you need to ensure that the GitHub workflow has proper permissions:
Assuming you already have your images built and pushed to the container registry we can include two additional steps - building SLSA attestation and including it in Chainloop. We do that by adding the following section to the workflow:
The last step called Include SLSA Attestation in Chainloop assumes that you are already using Chainloop. For a more complicated example you can look at our Chainloop project and see how we do SLSA attestation in our release workflow for all the container images and binaries.
After you will execute the workflow SLSA attestation will be generated and included in Chainloop.
The next steps will include pushing the attestation to Chainloop - you can learn more about that steps in the following section of the documentation.
3 - Verifying SLSA level in Chainloop
Now that we are already generating SLSA provenance and including it in the Chainloop attestation, we need to associate the SLSA Framework with the project we want to start monitoring SLSA compliance for.
You can do that by going to the Project and selecting the project of you choice and updating it in the Update Project section of that page.
Once that is done you will be able to see the SLSA compliance in the Frameworks section of the project associated with the SLSA framework.
To learn more about each of the automatic and manual evidence head over to the Frameworks section in the Chainloop Platform UI and check the SLSA 1.0 framework.