GitHub Certificate Checks Package

Verify attributes on the certificate involved in the image signature when using slsa-github-generator on GitHub Actions with Sigstore Fulcio

Package Name

  • github_certificate

Rules Included

GitHub Workflow Certificate Extensions

Check if the image signature certificate contains the expected GitHub extensions. These are the extensions that represent the GitHub workflow trigger, sha, name, repository, and ref.

  • Rule type: WARNING

  • WARNING message: Missing extension %q

  • Code: github_certificate.gh_workflow_extensions

  • Source

GitHub Workflow Name

Check if the value of the GitHub Workflow Name extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_names to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

  • Rule type: FAILURE

  • FAILURE message: Name %q not in allowed list: %v

  • Code: github_certificate.gh_workflow_name

  • Source

GitHub Workflow Repository

Check if the value of the GitHub Workflow Repository extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_repos to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

  • Rule type: FAILURE

  • FAILURE message: Repository %q not in allowed list: %v

  • Code: github_certificate.gh_workflow_repository

  • Source

GitHub Workflow Repository

Check if the value of the GitHub Workflow Ref extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_refs to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

  • Rule type: FAILURE

  • FAILURE message: Ref %q not in allowed list: %v

  • Code: github_certificate.gh_workflow_ref

  • Source

GitHub Workflow Trigger

Check if the value of the GitHub Workflow Trigger extension in the image signature certificate matches one of the allowed values. Use the rule data key allowed_gh_workflow_triggers to specify the list of allowed values. An empty allow list, which is the default value, causes this check to succeeded.

  • Rule type: FAILURE

  • FAILURE message: Trigger %q not in allowed list: %v

  • Code: github_certificate.gh_workflow_trigger

  • Source

Rule data provided

Confirm the expected rule data keys have been provided in the expected format. The keys are allowed_gh_workflow_repos, allowed_gh_workflow_refs, allowed_gh_workflow_names, and allowed_gh_workflow_triggers.

Solution: If provided, ensure the rule data is in the expected format.

  • Rule type: FAILURE

  • FAILURE message: %s

  • Code: github_certificate.rule_data_provided

  • Source