Generate attestation metadata using SLSA v1.0
Overview
In Gitlab Runner 15.1 we added attestation metadata creation for all build artifacts based on the SLSA v0.1 specification. The release of SLSA v1.0 (Supply Chain Levels for Software Artifacts), the first stable release of SLSA, has introduced significant changes from the v0.1 spec.
Proposal
-
Add a mechanism to GitLab Runner to generate attestation metadata for build artifacts using the SLSA v1.0 General model
specification.
Customer value
- Customers can generate attestation metadata to provide verifiable evidence of the trustworthiness and provenance of their software artifacts.
- Attestation metadata enables customers to enhance the security of their software supply chain by helping mitigate the risk of compromised builds.
Edited by Darren Eastman