This feature is only in a beta.
Experimental: users report that this component is working, but it needs a broader audience to be battle-tested properly.
Report any issues to the #nais channel on Slack.
What is SLSA¶
SLSA is short for Supply chain Levels for Software Artifacts pronounced
It’s a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in our projects.
The salsa action generates signed provenance about a build and its related artifacts and dependencies. Provenance is an attestation (a signed "software bill of materials") about a software artifact or collection of artifacts, documenting how an artifact was produced - all in a common format.
The attestation is signed and uploaded to your container registry using cosign
and can be verified by the salsa cli or using the
cosign verify-attestation command.
SALSA_KMS_KEY are organization secrets, each GitHub org (nais and navikt) is configured with
their own set.
The action currently supports til following list of languages/build tools
- No support for projects with internal/private dependencies
You are still able to create a provenance by setting with.dependencies to false