git.stella-ops.org/docs/features/unimplemented/scanner/build-provenance-verification-module-with-slsa-level-evaluator.md

Build Provenance Verification Module with SLSA Level Evaluator

Module

Scanner

Status

PARTIALLY_IMPLEMENTED

Description

Scanner stage that evaluates SLSA provenance levels (L0-L4) for artifacts, verifies builder identity against trusted builder lists, checks reproducibility claims, and builds provenance chains. Integrates as a dedicated pipeline stage in the scanner worker.

Implementation Details

• Core Analyzer:
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenanceAnalyzer.cs - Main orchestrator for build provenance analysis
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/BuildProvenanceServiceCollectionExtensions.cs - DI registration
• SLSA Level Evaluation:
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/SlsaLevelEvaluator.cs - Evaluates SLSA provenance levels (L0-L4)
• Builder Verification:
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuilderVerifier.cs - Verifies builder identity against trusted builder lists
• Reproducibility:
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/ReproducibilityVerifier.cs - Checks reproducibility claims
• Provenance Chain:
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenanceChainBuilder.cs - Builds provenance chains linking build steps
• Additional Verifiers:
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildInputIntegrityChecker.cs - Verifies integrity of build inputs
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildConfigVerifier.cs - Verifies build configuration
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/SourceVerifier.cs - Verifies source provenance
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenancePatternMatcher.cs - Pattern matching for provenance artifacts
• Policy:
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Policy/BuildProvenancePolicyLoader.cs - Loads build provenance policies
  • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Policy/BuildProvenancePolicy.cs - Policy model
• Models: src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Models/BuildProvenanceModels.cs
• Reporting: src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Reporting/BuildProvenanceReportFormatter.cs
• Worker Stage: src/Scanner/StellaOps.Scanner.Worker/Processing/BuildProvenance/BuildProvenanceStageExecutor.cs

E2E Test Plan

• Scan an artifact with SLSA L1 provenance and verify SlsaLevelEvaluator assigns level L1
• Scan an artifact with full SLSA L3 provenance (signed, non-falsifiable) and verify level L3 assignment
• Provide a trusted builder list and verify BuilderVerifier validates/rejects builder identities
• Scan an artifact with reproducibility claims and verify ReproducibilityVerifier validates them
• Verify BuildProvenanceChainBuilder links build steps into a verifiable chain
• Verify build provenance findings appear in scan report with SLSA level, builder identity, and chain details
• Scan an artifact with no provenance and verify it is assigned SLSA L0

Verification Findings

• run-001 Tier 0 confirmed all declared files and key symbols exist.
• Tier 1 builds and focused tests passed (18/18), but code review failed semantic parity for the no-provenance runtime path.
• BuildProvenanceStageExecutor currently returns early when SBOM has no buildInfo and no formulation, so the worker pipeline does not emit a BuildProvenanceReport for the claimed SLSA L0 assignment path.
• Tier 2 targeted behavioral checks passed at library level, but runtime worker-stage contract parity failed for no-provenance handling and stage-level behavioral coverage.