SLSA-BUILD-L2 — Provenance/signing step is missing id-token: write

Field	Value
Rule ID	`slsa-build-l2-oidc-token-scope`
Severity	MEDIUM
SLSA level	v1.2 Build L2
Auto-fix	✗

What the check does

Fires on any job that uses one of:

actions/attest-build-provenance@… / actions/attest@…
sigstore/cosign-installer@… (or a cosign sign run-line)
A reusable workflow call under slsa-framework/slsa-github-generator/...

…without declaring permissions: id-token: write either at the job level or at the workflow level.

Why it matters

Sigstore’s keyless signing path mints a short-lived signing certificate from the workflow’s OIDC token. GitHub does not issue that token unless the job (or workflow) explicitly requests id-token: write. Without the permission, the signing step fails — and SLSA Build L2’s “signed provenance” requirement is unmet.

Vulnerable example

jobs:
  sign:
    runs-on: ubuntu-latest
    permissions:
      contents: read              # ← no id-token: write
    steps:
      - uses: actions/attest-build-provenance@<sha>

Safe example

jobs:
  sign:
    runs-on: ubuntu-latest
    permissions:
      id-token: write             # OIDC token
      attestations: write         # upload attestation
      contents: read
    steps:
      - uses: actions/attest-build-provenance@<sha>

SLSA-BUILD-L2 — Build provenance is not generated SLSA-BUILD-L2 — Permissions block grants overly broad scopes

⌘I

Documentation Index

​What the check does

​Why it matters

​Vulnerable example

​Safe example

What the check does

Why it matters

Vulnerable example

Safe example