SLSA provenance available check

[behnazh-w]

@laurentsimon I have a question about the recent change that checks for .intoto.jsonl extensions in the release assets. With this check, the Scorecard repository itself will not meet the provenance available check, looking at the latest release assets.

I can see that the trusted builder workflow is called here. Would Scorecard report a false positive against itself for SLSA provenance available check?

[laurentsimon]

You're right. The provenance is stored inside the zip file.. good catch!
Im going to move Scorecard to use the generic generator soon, because the Go builder only supports a single build. Once we have support for multiple builds, we will move back to using the Go builder and release binaries instead of zip files. So the provenance will be stored next to the binaries.

Does this work?

[behnazh-w]

Yes, thanks for the quick reply 👍

It would also be good to explicitly document this and encourage people to put the provenance as a release asset to help analysis tools?

[laurentsimon]

See #2146. Let me know what you think for the doc.

[behnazh-w]

If SLSA provenances are found for the releases

Because Scorecard looks for the .intoto.jsonl files in the release assets, it would be better to point it out I think, e.g.,

If SLSA provenances are found in the [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases)

[laurentsimon]

Updated, PTAL

[behnazh-w]

Great. To be consistent, I think the docs/checks.md should change too.