Slsa Github Generator

Language-agnostic SLSA provenance generation for Github Actions
Alternatives To Slsa Github Generator
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
13 days ago523otherC++
An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.
Trivy16,6942516 hours ago176September 16, 2022386apache-2.0Go
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
2 days ago97mitGo
Protect and discover secrets using Gitleaks 🔑
Personal Security Checklist10,873
5 days ago25other
🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2022
Trufflehog10,69662a day ago42April 28, 2021126agpl-3.0Go
Find credentials all over the place
Zaproxy10,6353420 hours ago8December 11, 2021744apache-2.0Java
The OWASP ZAP core project
a day ago142September 02, 202280gpl-3.0Go
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
20 days ago17April 27, 2022117gpl-3.0Rust
🤖 The Modern Port Scanner 🤖
Scapy8,55781415016 hours ago22April 19, 2021118gpl-2.0Python
Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.
21 hours ago1August 14, 2018217otherPython
Daemon to ban hosts that cause multiple authentication errors
Alternatives To Slsa Github Generator
Select To Compare

Alternative Project Comparisons

SLSA GitHub Generator

OpenSSF Scorecard CII Best Practices Go Report Card Slack SLSA 3


What is SLSA?

Supply chain Levels for Software Artifacts, or SLSA (salsa), is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.

SLSA defines an incrementally adoptable set of levels which are defined in terms of increasing compliance and assurance. SLSA levels are like a common language to talk about how secure software, supply chains and their component parts really are.

What is provenance?

Provenance is information, or metadata, about how a software artifact was created. This could include information about what source code, build system, and build steps were used, as well as who and why the build was initiated. Provenance can be used to determine the authenticity and trustworthiness of software artifacts that you use.

As part of the framework, SLSA defines a provenance format which can be used to hold this metadata.

What is slsa-github-generator?

slsa-github-generator is a set of tools for generation of SLSA3+ provenance for native GitHub projects. It allows projects to generate SLSA provenance safely and accurately using GitHub Actions.

Specifically, this repository contains tools for generating non-forgeable SLSA provenance on GitHub that meets the build and provenance requirements for SLSA level 3 and above.

While slsa-github-generator can help you achieve SLSA level 3, use of the provided GitHub Actions reusable workflows only is not sufficient to meet all of the requirements at SLSA level 3. Specifically, the source requirements are not covered by these workflows and must be handled explicitly to meet all requirements at SLSA level 3+.


The project roadmap is tracked via milestones. You can track progress and open issues via the milestones page. Each milestone includes a description of what is being worked on and a rough timeline for completion.

Generation of provenance

Below we describe the various builders and generators in this repository. They let you build and / or generate non-forgeable provenance using a trusted / isolated re-usable workflow. You can read up on the design in our technical design document.

Referencing SLSA builders and generators

At present, the GitHub Actions provided in this repository as builders and generators MUST be referenced by tag in order for the slsa-verifier to be able to verify the ref of the trusted builder/generator's reusable workflow. It also needs to be referred as @vX.Y.Z, because the build will fail if you reference it via a shorter tag like @vX.Y or @vX.

This is contrary to the GitHub best practice for third-party actions which recommends referencing by digest, but intentional due to limits in GitHub Actions. The desire to be able to verify reusable workflows pinned by hash, and the reasons for the current status, are tracked as Issue #12 in the slsa-verifier project.

For guidance on how to configure renovate see


Builders build and generate provenance. They let you meet the build and provenance requirements for SLSA Level 3 and above.

Builders are able to report the commands used to generate your artifact in the provenance.

This repository hosts the following builders:

  1. Go Builder SLSA Level 3. Status: available since v1.0.0. This builder builds and generates provenance for your Go projects. To use it, follow the Go builder's
  2. Container Builder SLSA Level 3. Status: WIP, expected release in Dec 2022. This builder will build your container image and generate provenance. The generated provenance will be compatible with cosign's attestation format.
  3. Dockerfile-based Builder SLSA Level 3. Status: WIP. This builder will build arbitrary artifacts using building steps defined in a Dockerfile.

If you would rather build your project yourself, use the generators instead as explained in the next section.

Provenance-only generators

Provenance-only generators let you build your artifact, and only generate provenance for you. They let you meet the provenance requirements for SLSA Level 3.

Generators create an attestation to a software artifact coming from your repository.

Generators are not able to report the commands used to generate your artifact in the provenance.

This repository hosts the following generators:

  1. Generic generator SLSA Level 3. Status: available since v1.2.0. This generator generates provenance for arbitrary artifacts of your choice. To use it, follow the Generic generator's
  2. Container generator SLSA Level 3. Status: available since v1.4.0. This generator will generate provenance for container images. The generated provenance will be compatible with cosign's attestation format.

Verification of provenance

To verify the provenance, use the project.


To install the verifier, see slsa-framework/slsa-verifier#installation.


The inputs of the verifier are described in slsa-framework/slsa-verifier#available-options.

Command line examples

A command line example is provided in slsa-framework/slsa-verifier#example.

Technical design

The initial technical design was described in the blog post "Improving software supply chain security with tamper-proof builds".


For a more in-depth technical dive, read the

Provenance format

The format of the provenance is available in


Please see the Contributor Guide for more info.

Popular Security Projects
Popular Security Tools Projects
Popular Security Categories

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Security Tools
Security Hardening