stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/build-provenance-verification-module-with-slsa-level-evaluator.md

3.2 KiB
Raw Blame History

Build Provenance Verification Module with SLSA Level Evaluator

Module

Scanner

Status

IMPLEMENTED

Description

Scanner stage that evaluates SLSA provenance levels (L0-L4) for artifacts, verifies builder identity against trusted builder lists, checks reproducibility claims, and builds provenance chains. Integrates as a dedicated pipeline stage in the scanner worker.

Implementation Details

  • Core Analyzer:
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenanceAnalyzer.cs - Main orchestrator for build provenance analysis
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/BuildProvenanceServiceCollectionExtensions.cs - DI registration
  • SLSA Level Evaluation:
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/SlsaLevelEvaluator.cs - Evaluates SLSA provenance levels (L0-L4)
  • Builder Verification:
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuilderVerifier.cs - Verifies builder identity against trusted builder lists
  • Reproducibility:
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/ReproducibilityVerifier.cs - Checks reproducibility claims
  • Provenance Chain:
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenanceChainBuilder.cs - Builds provenance chains linking build steps
  • Additional Verifiers:
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildInputIntegrityChecker.cs - Verifies integrity of build inputs
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildConfigVerifier.cs - Verifies build configuration
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/SourceVerifier.cs - Verifies source provenance
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Analyzers/BuildProvenancePatternMatcher.cs - Pattern matching for provenance artifacts
  • Policy:
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Policy/BuildProvenancePolicyLoader.cs - Loads build provenance policies
    • src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Policy/BuildProvenancePolicy.cs - Policy model
  • Models: src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Models/BuildProvenanceModels.cs
  • Reporting: src/Scanner/__Libraries/StellaOps.Scanner.BuildProvenance/Reporting/BuildProvenanceReportFormatter.cs
  • Worker Stage: src/Scanner/StellaOps.Scanner.Worker/Processing/BuildProvenance/BuildProvenanceStageExecutor.cs

E2E Test Plan

  • Scan an artifact with SLSA L1 provenance and verify SlsaLevelEvaluator assigns level L1
  • Scan an artifact with full SLSA L3 provenance (signed, non-falsifiable) and verify level L3 assignment
  • Provide a trusted builder list and verify BuilderVerifier validates/rejects builder identities
  • Scan an artifact with reproducibility claims and verify ReproducibilityVerifier validates them
  • Verify BuildProvenanceChainBuilder links build steps into a verifiable chain
  • Verify build provenance findings appear in scan report with SLSA level, builder identity, and chain details
  • Scan an artifact with no provenance and verify it is assigned SLSA L0