SLSA - Verification model - Source Package

Verify that the provided source code reference is the one being attested.

Solution: The source code reference in the attestation doesn’t match the expected and provided source code reference. Make sure that the provided source code reference is correct, and if it is make sure that the build process is configured to retrieve the source code from the appropriate source code repository. Make sure that the source code reference is pointing to a explicit revision not to a symbolic identifier, e.g. a branch or tag name.

Confirm the expected rule data keys have been provided in the expected format. The keys are supported_vcs and supported_digests.

Check if the expected source code reference is provided.

Solution: Provide the expected source code reference in inputs.

Attestation contains source reference.

Solution: Check that the attestation creation process includes the source code reference in the predicate.materials for SLSA Provenance v0.2, or in predicate.buildDefinition.resolvedDependencies for SLSA Provenance v1.0 attestations. Check that the Version Control System prefix is the list of the supported VCS types in rule data (supported_vcs key).