SLSA Jenkins Plugin

The SLSA Jenkins plugin generates SLSA provenance attestations for build artifacts.

Job configuration - Freestyle project

The plugin provides a Post-build action which will generate provenance attestations (<artifact-name>.intoto.jsonl or multiple.intoto.jsonl) in SLSA format for artifacts that match a given filter after a successful build.

Artifact Filter: Specifies the artifacts to include.

Target Directory: Specifies the directory where generated provenance attestations should be created.

Job configuration - Pipeline project

In order to use the plugin with the descriptive pipeline syntax, the following snippet can be added:

...
post {
    success {
        provenanceRecorder artifactFilter: 'build/libs/**.jar', targetDirectory: 'build/slsa'
    }
}
...

Artifact Filter: Specifies the artifacts to include.

Target Directory: Specifies the directory where generated provenance attestations should be created.

Current limitations

• currently only GIT SCM provider is supported
• executed build steps are not yet recorded
• signing of attestations is not yet supported

LICENSE

Licensed under MIT, see LICENSE.