Verify SLSA Provenance

You can use Harness SSCA to verify SLSA Provenance and confirm that you can trust an artifact before deployment. You can also use SSCA to generate SLSA Provenance.

Generate and verify SLSA Provenance architecture

To generate and verify SLSA Provenance with Harness SSCA, you need a pipeline with a CI (build) stage and CD (deploy) stage. The stages must have these minimum steps:

Build stage:
- Build and Push an image to Docker Registry step: Build and push an image to a Docker registry.
- SLSA generation enabled in the stage settings.
Deploy stage:
- SLSA Verification step: Verify the SLSA Provenance.
- Rolling deployment step: Deploy the image.

Prepare a pipeline

To verify SLSA Provenance in Harness, you need a pipeline with a CD (deploy) stage.

Get the public key

Keys are used to sign and verify provenance.

Create a Harness file secret containing the public key file that corresponds with the private key file that was used to sign and attest the provenance.

For example, if your pipeline includes provenance generation, then you need to use the public key that corresponds to the private key you used for provenance generation.

Create SLSA policies

You must create a set of OPA policies that you want Harness SSCA to use for SLSA Provenance verification. You can create a dedicated SLSA Provenance verification policy set or use existing policy sets that you've already created. For more information about creating policies in Harness, go to the Harness Policy As Code overview.

info

OPA polices used for SLSA Provenance verification are different from SSCA policies used for SSCA policy enforcement.

In your Harness Project, under Project Setup, go to Policies. You can also create policies at the Account and Org scopes.
Select Policies, and then create policies for the individual rules that you want to enforce. You can select from the policy library or write your own policies.
Create policy sets to group related policies. You must have at least one policy set.

SLSA policy example

Here's an example of an OPA policy that could be used to verify an SLSA Provenance generated in Harness. If you are verifying provenance from a third-party build system provider, make sure your OPA policies reflect the provenance structure used by that build system provider. Different providers might use different SLSA Provenance structures.

package slsa

# Build repo must be 'https://github.com/abc/abc-sample'. SLSA verification fails if a different repo is detected.
deny[msg]{
  input[0].outcome.stepArtifacts.provenanceArtifacts[0].predicate.buildDefinition.externalParameters.codeMetadata.repositoryURL != "https://github.com/abc/abc-sample"
  msg := "Repository verification failed in Provenance"  
}

# Build branch must be 'main'. SLSA verification fails if a different branch is detected.
deny[msg]{
  input[0].outcome.stepArtifacts.provenanceArtifacts[0].predicate.buildDefinition.externalParameters.codeMetadata.branch != "main"
  msg := "Branch verification failed in provenance"  
}

For more examples, go to Policy samples.

Add the SLSA Verification step

Add the SLSA Verification step to a Deploy stage to verify provenance. The SLSA Verification step is a container step that must be inside a container group.

Configure SLSA Verification step settings

The SLSA Verification step has the following settings:

Name: Enter a name for the step.
Container Registry: Select the Docker Registry connector that is configured for the Docker-compliant container registry where the artifact is stored, such as Docker Hub, Amazon ECR, or GCR.
Image: Enter the repo path (in your container registry) for the image that you want to verify, such as my-docker-repo/my-artifact.
Tag: Enter the tag for the image, such as latest.
Public Key: Select the Harness file secret containing the public key to use to verify the authenticity of the attestation.

ECR and GCR repos

If you're using Docker-compliant ECR or GCR repositories, you must:

Configure your Docker Registry connector as a valid artifact source.
- For ECR, go to Use Docker Registry for ECR.
- For GCR, go to Use Docker Registry for GCR
Use the full URI for the Image in your SSCA Orchestration step, such as 1234567890.dkr.ecr.REGION.amazonaws.com/IMAGE_NAME:TAG.

Select SLSA policies to enforce

On the Advanced tab for the SLSA Verification step, expand the Policy Enforcement section, and then add your SLSA Provenance verification OPA policies.

Run the pipeline

When the pipeline runs, the SLSA Verification step does the following:

Verifies the authenticity of the attestation.
Verifies the provenance data by applying the specified policy set.
Records the policy evaluation results in the step's logs.
Reports the overall pass/fail for SLSA verification on the Artifacts tab.

For more information about inspecting SLSA verification results, go to View attestations and violations.

Verify provenance from third-party build systems

You can use Harness SSCA to verify provenance generated by third-party build systems.

To do this:

Get the public key.
Create SLSA policies that verify the provenance data according to the provenance structure used by in the build system provider.
Add the SLSA Verification step.

Prepare a pipeline​

Get the public key​

Create SLSA policies​

SLSA policy example​

Add the SLSA Verification step​

Configure SLSA Verification step settings​

Select SLSA policies to enforce​

Run the pipeline​

Verify provenance from third-party build systems​