SLSA - Source - Version Controlled Package

The SLSA requirement states the following: "Every change to the source is tracked in a version control system that meets the following requirements:

[Change history] There exists a record of the history of changes
that went into the revision. Each change must contain: the
identities of the uploader and reviewers (if any), timestamps of
the reviews (if any) and submission, the change
description/justification, the content of the change, and the
parent revisions.
[Immutable reference] There exists a way to indefinitely reference
this particular, immutable revision. In git, this is the {repo URL +
branch/tag/ref + commit ID}.

Most popular version control system meet this requirement, such as git, Mercurial, Subversion, or Perforce." This package verifies the requirement by asserting the image was built from a git repository.

Package Name

  • slsa_source_version_controlled

Rules Included

Material uri is a git repo

Ensure each entry in the predicate.materials array with a SHA-1 digest includes a valid Git URI.

Solution: Ensure the URI associated with a SHA-1 digest in the materials section of the attestation is valid. This URI is derived from the 'CHAINS-GIT_URL' output of the 'git-clone' task.

  • Rule type: FAILURE

  • FAILURE message: Material URI %q is not a git URI

  • Code: slsa_source_version_controlled.materials_uri_is_git_repo

  • Source

Materials have uri and digest

Confirm at least one entry in the predicate.materials array of the attestation contains the expected attributes: uri and digest.sha1.

Solution: Make sure the attestation contains the repository URI and digest.sha1. This information comes from the 'CHAINS-GIT_URL' and 'CHAINS-GIT_COMMIT' results in the 'git-clone' task.

  • Rule type: FAILURE

  • FAILURE message: No materials match expected format

  • Code: slsa_source_version_controlled.materials_format_okay

  • Source

Materials include git commit shas

Ensure that each entry in the predicate.materials array with a SHA-1 digest includes a valid Git commit SHA.

Solution: Ensure the digest.sha1 in the materials section of the attestation is a valid Git commit SHA. This commit information is derived from the 'CHAINS-GIT_COMMIT' output of the 'git-clone' task.

  • Rule type: FAILURE

  • FAILURE message: Material digest %q is not a git commit sha

  • Code: slsa_source_version_controlled.materials_include_git_sha

  • Source