-
Notifications
You must be signed in to change notification settings - Fork 488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLSA provenance available check #2145
Comments
You're right. The provenance is stored inside the zip file.. good catch! Does this work? |
Yes, thanks for the quick reply 👍 It would also be good to explicitly document this and encourage people to put the provenance as a release asset to help analysis tools? |
See #2146. Let me know what you think for the doc. |
Because Scorecard looks for the If SLSA provenances are found in the [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) |
Updated, PTAL |
Great. To be consistent, I think the docs/checks.md should change too. |
@laurentsimon I have a question about the recent change that checks for
.intoto.jsonl
extensions in the release assets. With this check, the Scorecard repository itself will not meet the provenance available check, looking at the latest release assets.I can see that the trusted builder workflow is called here. Would Scorecard report a false positive against itself for SLSA provenance available check?
The text was updated successfully, but these errors were encountered: