Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

FieldValue
Rule IDslsa-build-l2-provenance
SeverityHIGH
SLSA levelv1.2 Build L2
Auto-fix

What the check does

Flags any workflow that:
  1. Publishes a release-shaped artifact — a step using one of softprops/action-gh-release, actions/upload-release-asset, docker/build-push-action, actions/upload-pages-artifact, or a run: line containing docker push, gh release upload|create, npm publish, cargo publish, twine upload, gem push, or goreleaser release, AND
  2. Does not contain any step from actions/attest-build-provenance / actions/attest, nor a uses: call into slsa-framework/slsa-github-generator/....

Why it matters

SLSA Build L2 requires that artifacts ship with signed provenance — a verifiable record of what built them, how, and from which source. Without provenance, downstream consumers cannot detect tampering.

Vulnerable example

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@<sha>
      - uses: softprops/action-gh-release@<sha>
        with:
          files: dist/*

Safe example

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      attestations: write
      contents: write
    steps:
      - uses: actions/checkout@<sha>
      - run: ./build.sh
      - uses: actions/attest-build-provenance@<sha>
        with:
          subject-path: dist/*
      - uses: softprops/action-gh-release@<sha>
        with:
          files: dist/*
For Build L3, prefer the slsa-framework/slsa-github-generator reusable workflow over an in-job attestation step — see provenance-isolated.

Why no auto-fix

Provenance generation depends on what the workflow actually builds and where it publishes; injecting a generic attestation step would produce a broken build more often than a working one.