SLSA Level 1

[varunsh-coder]

harden-runner will generate provenance in the future. It should then be possible to meet SLSA level 1 using GitHub Actions hosted-runner when using harden-runner.

You will then be able to view provenance of your artifacts along with the security insights.

Please share ideas/ requirements around this.

[varunsh-coder]

The current plan is to implement this for docker builds. When the security agent that harden-runner installs observes that a docker image has been built, it will generate provenance and record in the build log. The harden-runner-app can read the information from the build log and store it in the back-end data store. Developers will be able to add a badge to their repo's readme file pointing to a provenance page, e.g. app.stepsecurity.io/github/owner/repo/provenance, which will display provenance records for images built in workflows in that repo.

As a developer, no change would be required, other than adding the harden-runner GitHub Action as the first step.

This experience, of automatically getting the provenance information would be similar to Google Cloud Build: https://cloud.google.com/build/docs/securing-builds/view-build-provenance

In a future release, it should also be possible to push the provenance record along with the image when docker credentials have been configured (e.g. when docker push is called).