Skip to content

feat: Generate SLSA provenance for operator images#602

Merged
dervoeti merged 3 commits into
mainfrom
feat/slsa-provenance
Jul 1, 2026
Merged

feat: Generate SLSA provenance for operator images#602
dervoeti merged 3 commits into
mainfrom
feat/slsa-provenance

Conversation

@dervoeti

@dervoeti dervoeti commented Jun 26, 2026

Copy link
Copy Markdown
Member

Bumped stackabletech/actions from v0.15.0 to v0.16.0 so the digest output is provided.

Add provenance-oci and provenance-quay jobs to the templated build workflow. Both call the slsa-github-generator container workflow against the multi-arch image index digest published to each registry, attaching signed SLSA build provenance to the image.

Optional extra information, feel free to ignore:
I added SLSA provenance to our fork of SecObserve already in a similar fashion, here is the workflow run:
https://github.com/stackabletech/SecObserve/actions/runs/28184881580

Here is an example of how to manually inspect the SLSA provenance attestation for an image:

cosign download attestation oci.stackable.tech/stackable/secobserve-backend@sha256:66972afe0b57d3747d892a2887c7f872176e7cd824d2cdfff0dd851ba3ce6eda
de8a844526f3 | jq -r '.payload' | base64 -d | jq 'select(.predicateType=="https://slsa.dev/provenance/v0.2") | .predicate.invocation'

Or using slsa-verifier:

slsa-verifier verify-image oci.stackable.tech/stackable/secobserve-backend@sha256:66972afe0b57d3747d892a2887c7f872176e7cd824d2cdfff0dd851ba3ce6eda --source-uri github.com/stackabletech/SecObserve

It's basically a signed JSON document that provides a ton of metadata about the image build. The attestation is done by an isolated job that runs https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml, so it's an independent "witness" that can't be manipulated (this means we achieve SLSA level 3). Luckily it's pretty easy to do since we use GitHub actions.

@dervoeti dervoeti marked this pull request as draft June 26, 2026 08:52
@dervoeti dervoeti self-assigned this Jun 26, 2026
@dervoeti dervoeti force-pushed the feat/slsa-provenance branch from 2620667 to f54ae0c Compare June 26, 2026 11:42
@dervoeti dervoeti marked this pull request as ready for review July 1, 2026 13:22
@dervoeti dervoeti moved this to Development: Waiting for Review in Stackable Engineering Jul 1, 2026

@NickLarsenNZ NickLarsenNZ left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NickLarsenNZ NickLarsenNZ moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Jul 1, 2026
@StefanFl

StefanFl commented Jul 1, 2026

Copy link
Copy Markdown
Member

The slsa-verifier responds with "FAILED: SLSA verification failed: no matching attestations" for the example above.

@dervoeti

dervoeti commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

The slsa-verifier responds with "FAILED: SLSA verification failed: no matching attestations" for the example above.

Ah that's right, I built a new version of SecObserve in the meantime and the old image was garbage collected. I updated the hash.

@dervoeti dervoeti added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit a0fd6b5 Jul 1, 2026
2 checks passed
@dervoeti dervoeti deleted the feat/slsa-provenance branch July 1, 2026 16:16
@dervoeti dervoeti moved this from Development: In Review to Development: Done in Stackable Engineering Jul 1, 2026
@lfrancke lfrancke moved this from Development: Done to Done in Stackable Engineering Jul 6, 2026
@lfrancke lfrancke moved this from Done to Acceptance: In Progress in Stackable Engineering Jul 6, 2026
@dervoeti

dervoeti commented Jul 6, 2026

Copy link
Copy Markdown
Member Author

Release note

SLSA build provenance: All Stackable container images, both product images and operator images, are now published with SLSA build provenance attestations. The provenance is generated with the slsa-github-generator trusted builder, meeting the requirements of SLSA Level 3, and is signed keylessly and attached to the images in our OCI registry. This allows you to cryptographically verify that an image was built by Stackable's CI from the published source code. Check out the new provenance verification guide in our docs for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Acceptance: In Progress

Development

Successfully merging this pull request may close these issues.

4 participants