CINXE.COM

SLSA • Verification Summary Attestation (VSA)

<!DOCTYPE html> <html lang="en"><head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1" /><!-- Begin Jekyll SEO tag v2.8.0 --> <meta name="generator" content="Jekyll v3.9.5" /> <meta property="og:title" content="Verification Summary Attestation (VSA)" /> <meta property="og:locale" content="en_US" /> <meta name="description" content="Specification for a verification summary of artifacts by a trusted verifier entity." /> <meta property="og:description" content="Specification for a verification summary of artifacts by a trusted verifier entity." /> <meta property="og:site_name" content="SLSA" /> <meta property="og:image" content="/images/icons/android-chrome-192x192.png" /> <meta property="og:type" content="website" /> <meta name="twitter:card" content="summary_large_image" /> <meta property="twitter:image" content="/images/icons/android-chrome-192x192.png" /> <meta property="twitter:title" content="Verification Summary Attestation (VSA)" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"WebPage","description":"Specification for a verification summary of artifacts by a trusted verifier entity.","headline":"Verification Summary Attestation (VSA)","image":"/images/icons/android-chrome-192x192.png","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"/images/icons/android-chrome-512x512.png"}},"url":"/spec/v1.0/verification_summary"}</script> <!-- End Jekyll SEO tag --> <link rel="stylesheet" href="/vendor/tailwindcss-2.2.19/tailwind.min.css"> <link rel="stylesheet" href="/assets/main.css"> <link rel="apple-touch-icon" sizes="180x180" href="/images/icons/apple-touch-icon.png"> <link rel="icon" type="image/png" sizes="32x32" href="/images/icons/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/images/icons/favicon-16x16.png"> <link rel="icon" type="image/png" sizes="16x16" href="/images/icons/favicon-16x16.png"> <link rel="icon" type="image/x-icon" href="/images/icons/favicon.ico"> <link rel="mask-icon" href="/images/icons/safari-pinned-tab.svg" color="#5bbad5"> <meta name="msapplication-TileColor" content="#da532c" /> <meta name="msapplication-square150x150logo" content="/images/icons/mstile-150x150.png" /> <meta name="theme-color" content="#ffffff" /> <title>SLSA • Verification Summary Attestation (VSA)</title> <link rel="stylesheet" href="/fonts/inter/inter.css"> <link rel="stylesheet" href="/fonts/ibm_plex/IBMPlexMono-Regular.css"> <link rel="stylesheet" href="/fonts/prodigy/ProdigySans.css"> <script src="/vendor/swiper-6.8.4/swiper-bundle.min.js"></script> <link rel="stylesheet" href="/vendor/swiper-6.8.4/swiper-bundle.min.css"> <script defer src="/vendor/alpinejs-3.10.2/cdn.min.js"></script><link type="application/atom+xml" rel="alternate" href="/feed.xml" title="SLSA" /></head> <body x-data="{navOpen: false}" x-init="$refs.body.style.setProperty('--scrollbar-width', `${window.innerWidth - document.body.offsetWidth}px`)" x-ref="body" ><aside class="site-aside flex flex-col flex-none" :class="{'is-open': navOpen}" > <div class="aside-header p-5 flex justify-between items-center show-laptop"> <a rel="author" href="/" class="logo block"> <img class="logo-white" src="/images/logo.svg" alt="SLSA logo" /> </a> <a class="desktop-github-icon" href="https://github.com/slsa-framework/slsa" target="_blank"> <svg width="22" height="22" viewBox="0 0 22 22" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" /> </svg> </a> </div> <div class="aside-content px-5 py-1 flex-1 overflow-auto"> <select id="redirectSelect.show-laptop" class="select-dropdown p-1 mx-1 my-4 text-black opacity-80 show-laptop border-gray-400"> <option value="/spec/v1.1/verification_summary" class="inline-block">Version 1.1 RC</option> <option selected value="/spec/v1.0/verification_summary" class="inline-block">Version 1.0</option> <option value="/spec/v0.2/verification_summary" class="inline-block">Version 0.2</option> <option value="/spec/v0.1/verification_summary" class="inline-block">Version 0.1</option> <option value="/spec/draft/verification_summary" class="inline-block">Working Draft</option> </select> <script> var selectEl = document.getElementById('redirectSelect.show-laptop'); selectEl.onchange = function(){ var goto = this.value; window.location = goto; }; </script> <nav class="site-nav"><ul><li> <a class="nav-link" href="/spec/v1.0/"> Overview </a> </li><li> <span class="section-title">Understanding SLSA</span> <ul><li> <a class="nav-link" href="/spec/v1.0/whats-new"> What&#39;s new in v1.0 </a> </li><li> <a class="nav-link" href="/spec/v1.0/about"> About SLSA </a> </li><li> <a class="nav-link" href="/spec/v1.0/threats-overview"> Supply chain threats </a> </li><li> <a class="nav-link" href="/spec/v1.0/use-cases"> Use cases </a> </li><li> <a class="nav-link" href="/spec/v1.0/principles"> Guiding principles </a> </li><li> <a class="nav-link" href="/spec/v1.0/faq"> FAQ </a> </li><li> <a class="nav-link" href="/spec/v1.0/future-directions"> Future directions </a> </li> </ul> </li><li> <span class="section-title">Core specification</span> <ul><li> <a class="nav-link" href="/spec/v1.0/terminology"> Terminology </a> </li><li> <a class="nav-link" href="/spec/v1.0/levels"> Security levels </a> </li><li> <a class="nav-link" href="/spec/v1.0/requirements"> Producing artifacts </a> </li><li> <a class="nav-link" href="/spec/v1.0/distributing-provenance"> Distributing provenance </a> </li><li> <a class="nav-link" href="/spec/v1.0/verifying-artifacts"> Verifying artifacts </a> </li><li> <a class="nav-link" href="/spec/v1.0/verifying-systems"> Verifying build platforms </a> </li><li> <a class="nav-link" href="/spec/v1.0/threats"> Threats &amp; mitigations </a> </li> </ul> </li><li> <span class="section-title">Attestation formats</span> <ul><li> <a class="nav-link" href="/attestation-model"> General model </a> </li><li> <a class="nav-link" href="/spec/v1.0/provenance"> Provenance </a> </li><li> <a class="nav-link is-active" href="/spec/v1.0/verification_summary"> Verification Summary </a> </li> </ul> </li><li> <span class="section-title">How to SLSA</span> <ul><li> <a class="nav-link" href="/get-started"> For developers </a> </li><li> <a class="nav-link" href="/how-to-orgs"> For organizations </a> </li><li> <a class="nav-link" href="/how-to-infra"> For infrastructure providers </a> </li> </ul> </li><li> <a class="nav-link" href="/spec-stages"> Specification stages </a> </li><li> <a class="nav-link" href="/community"> Community </a> </li><li> <a class="nav-link" href="/blog"> Blog </a> </li><li> <a class="nav-link" href="/spec/v1.0/onepage"> Single-page view </a> </li> </ul> </nav> </div> </aside> <div class="site-main"> <header class="site-header flex-none" x-data="{ fixed: false, hidden: false, lastPos: window.scrollY, scrolledPast: false }" x-ref="navbar" x-on:scroll.window=" fixed = window.scrollY > lastPos ? window.scrollY >= $refs.navbar.offsetHeight : window.scrollY > 0; hidden = fixed && window.scrollY > lastPos; if (window.scrollY > $refs.navbar.offsetHeight && !scrolledPast) { setTimeout(() => $refs.navbar.classList.add('is-scrolled-past'), 500); scrolledPast = true; } else if (window.scrollY === 0) { $refs.navbar.classList.remove('is-scrolled-past'); scrolledPast = false; } lastPos = window.scrollY; " x-bind:class="{ 'is-fixed': fixed, 'is-hidden': hidden, 'menu-open': navOpen }" > <div class="site-header-inner h-full flex items-center gap-5" > <button x-on:click="navOpen = !navOpen" :class="{ 'active': navOpen }" class="mobile-menu-button inline-block hide-laptop"> <span></span> <span></span> <span></span> </button> <a rel="author" href="/" class="logo block"> <img class="logo-white" src="/images/logo.svg" alt="SLSA logo" /> </a> <select id="redirectSelect.hide-laptop" class="select-dropdown p-1 mx-1 my-4 text-black opacity-80 hide-laptop border-gray-400"> <option value="/spec/v1.1/verification_summary" class="inline-block">Version 1.1 RC</option> <option selected value="/spec/v1.0/verification_summary" class="inline-block">Version 1.0</option> <option value="/spec/v0.2/verification_summary" class="inline-block">Version 0.2</option> <option value="/spec/v0.1/verification_summary" class="inline-block">Version 0.1</option> <option value="/spec/draft/verification_summary" class="inline-block">Working Draft</option> </select> <script> var selectEl = document.getElementById('redirectSelect.hide-laptop'); selectEl.onchange = function(){ var goto = this.value; window.location = goto; }; </script> <a class="desktop-github-icon ml-auto" href="https://github.com/slsa-framework/slsa" target="_blank"> <svg width="22" height="22" viewBox="0 0 22 22" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" /> </svg> </a> </div> </header> <main class="site-clamp" aria-label="Content"> <header class="content-header"> <h1 class="mb-16">Verification Summary Attestation (VSA)</h1> </header> <div class="site-content has-toc"> <aside class="table-of-contents flex flex-col"> <!-- page.layout == "standard" --> <div class="rounded-lg p-4 border border-green-900 mt-4 md:mt-0 mb-4"> Status: <a href="/spec-stages" style="display: inline">Approved</a> </div> <div class="flex-auto rounded-lg p-4 border border-green-900 overflow-auto"> <p class="header-small uppercase">On this page</p> <ul><li><a href="#purpose">Purpose</a></li><li><a href="#model">Model</a></li><li><a href="#schema">Schema</a><ul><li><a href="#parsing-rules">Parsing rules</a></li><li><a href="#fields">Fields</a></li></ul></li><li><a href="#example">Example</a></li><li><a href="#emslsaresult-stringem"><em>SlsaResult (String)</em></a></li><li><a href="#change-history">Change history</a></li></ul> </div> </aside> <div class="content main-content"> <p>Verification summary attestations communicate that an artifact has been verified at a specific SLSA level and details about that verification.</p> <p>This document defines the following predicate type within the <a href="https://github.com/in-toto/attestation">in-toto attestation</a> framework:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">"predicateType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://slsa.dev/verification_summary/v1"</span><span class="w"> </span></code></pre></div></div> <blockquote> <p>Important: Always use the above string for <code>predicateType</code> rather than what is in the URL bar. The <code>predicateType</code> URI will always resolve to the latest minor version of this specification. See <a href="#parsing-rules">parsing rules</a> for more information.</p> </blockquote> <h2 id="purpose">Purpose</h2> <p>Describe what SLSA level an artifact or set of artifacts was verified at and other details about the verification process including what SLSA level the dependencies were verified at.</p> <p>This allows software consumers to make a decision about the validity of an artifact without needing to have access to all of the attestations about the artifact or all of its transitive dependencies. They can use it to delegate complex policy decisions to some trusted party and then simply trust that party’s decision regarding the artifact.</p> <p>It also allows software producers to keep the details of their build pipeline confidential while still communicating that some verification has taken place. This might be necessary for legal reasons (keeping a software supplier confidential) or for security reasons (not revealing that an embargoed patch has been included).</p> <h2 id="model">Model</h2> <p>A Verification Summary Attestation (VSA) is an attestation that some entity (<code>verifier</code>) verified one or more software artifacts (the <code>subject</code> of an in-toto attestation <a href="https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md">Statement</a>) by evaluating the artifact and a <code>bundle</code> of attestations against some <code>policy</code>. Users who trust the <code>verifier</code> may assume that the artifacts met the indicated SLSA level without themselves needing to evaluate the artifact or to have access to the attestations the <code>verifier</code> used to make its determination.</p> <p>The VSA also allows consumers to determine the verified levels of all of an artifact’s <em>transitive</em> dependencies. The verifier does this by either a) verifying the provenance of each non-source dependency listed in the <a href="/provenance/v1#resolvedDependencies">resolvedDependencies</a> of the artifact being verified (recursively) or b) matching the non-source dependency listed in <code>resolvedDependencies</code> (<code>subject.digest</code> == <code>resolvedDependencies.digest</code> and, ideally, <code>vsa.resourceUri</code> == <code>resolvedDependencies.uri</code>) to a VSA <em>for that dependency</em> and using <code>vsa.verifiedLevels</code> and <code>vsa.dependencyLevels</code>. Policy verifiers wishing to establish minimum requirements on dependencies SLSA levels may use <code>vsa.dependencyLevels</code> to do so.</p> <h2 id="schema">Schema</h2> <div class="language-jsonc highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Standard attestation fields:</span><span class="w"> </span><span class="nl">"_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://in-toto.io/Statement/v1"</span><span class="err">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;NAME&gt;</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">&lt;digest-in-request&gt;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="err">,</span><span class="w"> </span><span class="c1">// Predicate</span><span class="w"> </span><span class="nl">"predicateType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://slsa.dev/verification_summary/v1"</span><span class="err">,</span><span class="w"> </span><span class="nl">"predicate"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="c1">// Required</span><span class="w"> </span><span class="nl">"verifier"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;URI&gt;"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"timeVerified"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;TIMESTAMP&gt;</span><span class="p">,</span><span class="w"> </span><span class="nl">"resourceUri"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;artifact-URI-in-request&gt;</span><span class="p">,</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;URI&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="c">/* DigestSet */</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nl">"inputAttestations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;URI&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">&lt;digest-of-attestation-data&gt;</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="c1">...</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"verificationResult"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;PASSED|FAILED&gt;"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verifiedLevels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"&lt;SlsaResult&gt;"</span><span class="p">],</span><span class="w"> </span><span class="nl">"dependencyLevels"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"&lt;SlsaResult&gt;"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;Int&gt;</span><span class="p">,</span><span class="w"> </span><span class="nl">"&lt;SlsaResult&gt;"</span><span class="p">:</span><span class="w"> </span><span class="err">&lt;Int&gt;</span><span class="p">,</span><span class="w"> </span><span class="c1">...</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"slsaVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;MAJOR&gt;.&lt;MINOR&gt;"</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <h3 id="parsing-rules">Parsing rules</h3> <p>This predicate follows the in-toto attestation <a href="https://github.com/in-toto/attestation/blob/main/spec/v1/README.md#parsing-rules">parsing rules</a>. Summary:</p> <ul> <li>Consumers MUST ignore unrecognized fields.</li> <li>The <code>predicateType</code> URI includes the major version number and will always change whenever there is a backwards incompatible change.</li> <li>Minor version changes are always backwards compatible and “monotonic.” Such changes do not update the <code>predicateType</code>.</li> <li>Producers MAY add extension fields using field names that are URIs.</li> </ul> <h3 id="fields">Fields</h3> <p><em>NOTE: This section describes the fields within <code>predicate</code>. For a description of the other top-level fields, such as <code>subject</code>, see <a href="https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md">Statement</a>.</em></p> <p><a id="verifier"></a> <code>verifier</code> <em>object, required</em></p> <blockquote> <p>Identifies the entity that performed the verification.</p> <p>The identity MUST reflect the trust base that consumers care about. How detailed to be is a judgment call.</p> <p>Consumers MUST accept only specific (signer, verifier) pairs. For example, “GitHub” can sign provenance for the “GitHub Actions” verifier, and “Google” can sign provenance for the “Google Cloud Deploy” verifier, but “GitHub” cannot sign for the “Google Cloud Deploy” verifier.</p> <p>The field is required, even if it is implicit from the signer, to aid readability and debugging. It is an object to allow additional fields in the future, in case one URI is not sufficient.</p> </blockquote> <p><a id="verifier.id"></a> <code>verifier.id</code> <em>string (<a href="https://github.com/in-toto/attestation/blob/main/spec/v1/field_types.md#TypeURI">TypeURI</a>), required</em></p> <blockquote> <p>URI indicating the verifier’s identity.</p> </blockquote> <p><a id="timeVerified"></a> <code>timeVerified</code> <em>string (<a href="https://github.com/in-toto/attestation/blob/main/spec/v1/field_types.md#Timestamp">Timestamp</a>), required</em></p> <blockquote> <p>Timestamp indicating what time the verification occurred.</p> </blockquote> <p><a id="resourceUri"></a> <code>resourceUri</code> <em>string (<a href="https://github.com/in-toto/attestation/blob/main/spec/v1/field_types.md#ResourceURI">ResourceURI</a>), required</em></p> <blockquote> <p>URI that identifies the resource associated with the artifact being verified.</p> </blockquote> <p><a id="policy"></a> <code>policy</code> <em>object (<a href="https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md">ResourceDescriptor</a>), required</em></p> <blockquote> <p>Describes the policy that the <code>subject</code> was verified against.</p> <p>The entry MUST contain a <code>uri</code>.</p> </blockquote> <p><a id="inputAttestations"></a> <code>inputAttestations</code> <em>array (<a href="https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md">ResourceDescriptor</a>), optional</em></p> <blockquote> <p>The collection of attestations that were used to perform verification. Conceptually similar to the <code>resolvedDependencies</code> field in <a href="/provenance">SLSA Provenance</a>.</p> <p>This field MAY be absent if the verifier does not support this feature. If non-empty, this field MUST contain information on <em>all</em> the attestations used to perform verification.</p> <p>Each entry MUST contain a <code>digest</code> of the attestation and SHOULD contains a <code>uri</code> that can be used to fetch the attestation.</p> </blockquote> <p><a id="verificationResult"></a> <code>verificationResult</code> <em>string, required</em></p> <blockquote> <p>Either “PASSED” or “FAILED” to indicate if the artifact passed or failed the policy verification.</p> </blockquote> <p><a id="verifiedLevels"></a> <code>verifiedLevels</code> <em>array (<a href="#slsaresult">SlsaResult</a>), required</em></p> <blockquote> <p>Indicates the highest level of each track verified for the artifact (and not its dependencies), or “FAILED” if policy verification failed.</p> <p>Users MUST NOT include more than one level per SLSA track. Note that each SLSA level implies all levels below it (e.g. <code>SLSA_BUILD_LEVEL_3</code> implies <code>SLSA_BUILD_LEVEL_2</code> and <code>SLSA_BUILD_LEVEL_1</code>), so there is no need to include more than one level per track.</p> </blockquote> <p><a id="dependencyLevels"></a> <code>dependencyLevels</code> <em>object, optional</em></p> <blockquote> <p>A count of the dependencies at each SLSA level.</p> <p>Map from <a href="#slsaresult">SlsaResult</a> to the number of the artifact’s <em>transitive</em> dependencies that were verified at the indicated level. Absence of a given level of <a href="#slsaresult">SlsaResult</a> MUST be interpreted as reporting <em>0</em> dependencies at that level. A set but empty <code>dependencyLevels</code> object means that the artifact has <strong>no</strong> dependency at all, while an unset or null <code>dependencyLevels</code> means that the verifier makes no claims about the artifact’s dependencies.</p> <p>Users MUST count each dependency only once per SLSA track, at the highest level verified. For example, if a dependency meets <code>SLSA_BUILD_LEVEL_2</code>, you include it with the count for <code>SLSA_BUILD_LEVEL_2</code> but not the count for <code>SLSA_BUILD_LEVEL_1</code>.</p> </blockquote> <p><a id="slsaVersion"></a> <code>slsaVersion</code> <em>string, optional</em></p> <blockquote> <p>Indicates the version of the SLSA specification that the verifier used, in the form <code>&lt;MAJOR&gt;.&lt;MINOR&gt;</code>. Example: <code>1.0</code>. If unset, the default is an unspecified minor version of <code>1.x</code>.</p> </blockquote> <h2 id="example">Example</h2> <p>WARNING: This is just for demonstration purposes.</p> <div class="language-jsonc highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nl">"_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://in-toto.io/Statement/v1"</span><span class="err">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"out/example-1.2.3.tar.gz"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"sha256"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5678..."</span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="err">,</span><span class="w"> </span><span class="c1">// Predicate</span><span class="w"> </span><span class="nl">"predicateType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://slsa.dev/verification_summary/v1"</span><span class="err">,</span><span class="w"> </span><span class="nl">"predicate"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"verifier"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://example.com/publication_verifier"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"timeVerified"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1985-04-12T23:20:50.52Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"resourceUri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://example.com/example-1.2.3.tar.gz"</span><span class="p">,</span><span class="w"> </span><span class="nl">"policy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://example.com/example_tarball.policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"sha256"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1234..."</span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"inputAttestations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://example.com/provenances/example-1.2.3.tar.gz.intoto.jsonl"</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"sha256"</span><span class="p">:</span><span class="w"> </span><span class="s2">"abcd..."</span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"verificationResult"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PASSED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verifiedLevels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"SLSA_BUILD_LEVEL_3"</span><span class="p">],</span><span class="w"> </span><span class="nl">"dependencyLevels"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"SLSA_BUILD_LEVEL_3"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"SLSA_BUILD_LEVEL_2"</span><span class="p">:</span><span class="w"> </span><span class="mi">7</span><span class="p">,</span><span class="w"> </span><span class="nl">"SLSA_BUILD_LEVEL_1"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"slsaVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <div id="slsaresult"> <h2 id="emslsaresult-stringem"><em>SlsaResult (String)</em></h2> </div> <p>The result of evaluating an artifact (or set of artifacts) against SLSA. SHOULD be one of these values:</p> <ul> <li><code>SLSA_BUILD_LEVEL_0</code></li> <li><code>SLSA_BUILD_LEVEL_1</code></li> <li><code>SLSA_BUILD_LEVEL_2</code></li> <li><code>SLSA_BUILD_LEVEL_3</code></li> <li><code>FAILED</code> (Indicates policy evaluation failed)</li> </ul> <p>Note that each SLSA level implies the levels below it in the same track. For example, <code>SLSA_BUILD_LEVEL_3</code> means (<code>SLSA_BUILD_LEVEL_1</code> + <code>SLSA_BUILD_LEVEL_2</code> + <code>SLSA_BUILD_LEVEL_3</code>).</p> <p>Users MAY use custom values here but MUST NOT use custom values starting with <code>SLSA_</code>.</p> <h2 id="change-history">Change history</h2> <ul> <li>1: <ul> <li>Replaced <code>materials</code> with <code>resolvedDependencies</code>.</li> <li>Relaxed <code>SlsaResult</code> to allow other values.</li> <li>Converted to lowerCamelCase for consistency with <a href="/provenance">SLSA Provenance</a>.</li> <li>Added <code>slsaVersion</code> field.</li> </ul> </li> <li>0.2: <ul> <li>Added <code>resource_uri</code> field.</li> <li>Added optional <code>input_attestations</code> field.</li> </ul> </li> <li>0.1: Initial version.</li> </ul> <div class="mt-10 pt-10 border-t flex flex-col sm:flex-row space-between gap-5"> <a href="/spec/v1.0/provenance" class="border rounded px-4 py-2 text-left">&lsaquo; Provenance</a> </div> </div> </div> </main><footer class="site-footer flex-none h-card text-white"> <div class="site-clamp py-4 flex flex-wrap items-start justify-between w-full"> <div class="w-full md:w-1/3 mb-8 md:mb-0"> <p><strong>SLSA is a cross-industry collaboration.</strong><br> © 2024 The Linux Foundation, under the terms of the <a href="https://github.com/slsa-framework/governance">Community Specification License 1.0</a></p> </div> <div class="w-full md:w-1/3 mb-8 md:mb-0"> <p><strong>Privacy statement</strong><br> We use <a href="https://goatcounter.com">GoatCounter</a> to help us improve our website by collecting and reporting information on how it's used. We do not store advertising or tracking cookies. The information we collect does not identify anyone and does not track an individual's use of the site.</p> </div> <div class="w-full md:w-1/4 mb-8 md:mb-0 flex md:justify-end"> <p> <a href="https://github.com/slsa-framework/slsa/blob/910587ad00cc1f893b1e1ef6af3fb00c382e72f3/docs/spec/v1.0/verification_summary.md?plain=1" target="_blank" class="flex gap-4 h5 font-normal"> View source on GitHub <svg width="22" height="22" viewBox="0 0 22 22" fill="none" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" fill="white"/> </svg> </a> <br> This site is powered by <a href="https://www.netlify.com">Netlify</a> </p> </div> </div> <div class="site-clamp py-4 flex items-start justify-between w-full mb-16 md:mb-0"> <a rel="author" href="/"><img src="/images/logo.svg" alt="SLSA logo" /></a> </div> </footer> </div> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10