SLSA-BUILD-L2 — Workflow consumes artifacts but does not verify provenance

Field	Value
Rule ID	`slsa-build-l2-verify-step`
Severity	INFO
SLSA level	v1.2 Build L2
Auto-fix	✗

What the check does

Fires when a workflow contains either:

A step using actions/download-artifact, OR
A run: step that contains docker pull, docker run, crane pull, or skopeo copy,

…and the workflow contains no verification step matching gh attestation verify, slsa-verifier verify, cosign verify-attestation, or cosign verify. Also accepts a uses: call into slsa-framework/slsa-verifier-action.

Why it’s INFO

Producing signed provenance (L2) only delivers value if consumers verify it. This is a strong recommendation but not strictly a security defect — a workflow may be a producer that doesn’t consume external artifacts, or may verify out-of-band. INFO keeps the rule out of failure thresholds by default.

Vulnerable example

jobs:
  use:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@<sha>
        with: { name: built-binary }
      - run: ./built-binary --do-the-thing

Safe example

jobs:
  use:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@<sha>
        with: { name: built-binary }
      - run: gh attestation verify built-binary --owner my-org
      - run: ./built-binary --do-the-thing

SLSA-BUILD-L2 — Permissions block grants overly broad scopes SLSA-BUILD-L3 — Provenance is generated in-job, not isolated

⌘I

Documentation Index

​What the check does

​Why it’s INFO

​Vulnerable example

​Safe example

What the check does

Why it’s INFO

Vulnerable example

Safe example