Skip to content

feat: Generate SLSA provenance for operator images#602

Merged
dervoeti merged 3 commits into
mainfrom
feat/slsa-provenance
Jul 1, 2026
Merged

feat: Generate SLSA provenance for operator images#602
dervoeti merged 3 commits into
mainfrom
feat/slsa-provenance

Conversation

@dervoeti

@dervoeti dervoeti commented Jun 26, 2026

Copy link
Copy Markdown
Member

Bumped stackabletech/actions from v0.15.0 to v0.16.0 so the digest output is provided.

Add provenance-oci and provenance-quay jobs to the templated build workflow. Both call the slsa-github-generator container workflow against the multi-arch image index digest published to each registry, attaching signed SLSA build provenance to the image.

Optional extra information, feel free to ignore:
I added SLSA provenance to our fork of SecObserve already in a similar fashion, here is the workflow run:
https://github.com/stackabletech/SecObserve/actions/runs/28184881580

Here is an example of how to manually inspect the SLSA provenance attestation for an image:

cosign download attestation oci.stackable.tech/stackable/secobserve-backend@sha256:66972afe0b57d3747d892a2887c7f872176e7cd824d2cdfff0dd851ba3ce6eda
de8a844526f3 | jq -r '.payload' | base64 -d | jq 'select(.predicateType=="https://slsa.dev/provenance/v0.2") | .predicate.invocation'

Or using slsa-verifier:

slsa-verifier verify-image oci.stackable.tech/stackable/secobserve-backend@sha256:66972afe0b57d3747d892a2887c7f872176e7cd824d2cdfff0dd851ba3ce6eda --source-uri github.com/stackabletech/SecObserve

It's basically a signed JSON document that provides a ton of metadata about the image build. The attestation is done by an isolated job that runs https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml, so it's an independent "witness" that can't be manipulated (this means we achieve SLSA level 3). Luckily it's pretty easy to do since we use GitHub actions.

@dervoeti dervoeti marked this pull request as draft June 26, 2026 08:52
@dervoeti dervoeti self-assigned this Jun 26, 2026
@dervoeti dervoeti force-pushed the feat/slsa-provenance branch from 2620667 to f54ae0c Compare June 26, 2026 11:42
@dervoeti dervoeti marked this pull request as ready for review July 1, 2026 13:22
@dervoeti dervoeti moved this to Development: Waiting for Review in Stackable Engineering Jul 1, 2026

@NickLarsenNZ NickLarsenNZ left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NickLarsenNZ NickLarsenNZ moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Jul 1, 2026
@StefanFl

StefanFl commented Jul 1, 2026

Copy link
Copy Markdown
Member

The slsa-verifier responds with "FAILED: SLSA verification failed: no matching attestations" for the example above.

@dervoeti

dervoeti commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

The slsa-verifier responds with "FAILED: SLSA verification failed: no matching attestations" for the example above.

Ah that's right, I built a new version of SecObserve in the meantime and the old image was garbage collected. I updated the hash.

@dervoeti dervoeti added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit a0fd6b5 Jul 1, 2026
2 checks passed
@dervoeti dervoeti deleted the feat/slsa-provenance branch July 1, 2026 16:16
@dervoeti dervoeti moved this from Development: In Review to Development: Done in Stackable Engineering Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Development: Done

Development

Successfully merging this pull request may close these issues.

3 participants