You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ideally this is generic enough that it not necessarily tied to GitHub. It ought to work with any git uri reference, and potentially with other uri types.
The SLSA Provenance generated on GitHub does not include details about the workflow used to build a container image.
This makes it hard to create a policy rule that checks if a certain GitHub action was included in the process, e.g. did a code scanner run?
The SLSA Provenance does contain a reference to the workflow:
Let's introduce a new custom built-in rego function to fetch the workflow, e.g.
ec.fetch_slsa_config_source(attestation)
The text was updated successfully, but these errors were encountered: