SLSA - Build - Build Service Package
The SLSA requirement states the following: "All build steps ran using some build service, not on a developer’s workstation." This package verifies the requirement by asserting the image was built by Tekton Pipelines.
Rules Included
Allowed builder IDs provided
Confirm the allowed_builder_ids rule data was provided, since it is required by the policy rules in this package.
-
Rule type: FAILURE
-
FAILURE message:
%s -
Code:
slsa_build_build_service.allowed_builder_ids_provided
SLSA Builder ID found
Verify that the attestation attribute predicate.builder.id is set.
Solution: The builder id in the attestation is missing. Make sure the build system is setting the build id when generating an attestation.
-
Rule type: FAILURE
-
FAILURE message:
Builder ID not set in attestation -
Code:
slsa_build_build_service.slsa_builder_id_found
SLSA Builder ID is known and accepted
Verify that the attestation attribute predicate.builder.id is set to one of the values in the allowed_builder_ids rule data, e.g. "https://tekton.dev/chains/v2".
Solution: Make sure the build id is set to an expected value. The expected values are set in the data sources.
-
Rule type: FAILURE
-
FAILURE message:
Builder ID %q is unexpected -
Code:
slsa_build_build_service.slsa_builder_id_accepted