Generate SLSA Provenance with Harness GitHub Actions

Harness GitHub Actions provide a seamless way to integrate Harness's Software Supply Chain Security (SCS) capabilities directly into GitHub workflows. You can use this GitHub Action to perform various supply chain security tasks. The Harness GitHub Action includes multiple sub-actions, each designed for specific tasks. This document focuses on the harness/github-actions/slsa-generation sub-action, which is used to generate an SBOM and attest it if needed.

The harness/github-actions/slsa-generation is responsible for generating SLSA provenance and optionally attesting it. If attestation is enabled, the .att attestation file will be pushed to the configured container registry. The generated SLSA provenance can be found in the Artifact section of the SCS module.

info

Keys for attestation and verification should be generated using Cosign and stored in HashiCorp Vault. Currently, Harness SCS supports only HashiCorp Vault. Support for additional Key Management Systems (KMS) will be introduced in the near future.

Requirements

Here are the prerequisites for using the GitHub Action.

Harness Account: Ensure you have a Harness account with the SCS license enabled.
Harness Account Details: Save the following Harness account details, which are required for all sub-actions. It is recommended to securely store these values using GitHub Secrets.

Key	Value Example	Description	Required
`HARNESS_ACCOUNT_URL`	`https://example.harness.io`	The URL of your Harness account.	Yes
`HARNESS_ACCOUNT_ID`	`ppdfedDDDL_dharzdPs_JtWT7g`	The unique identifier for your Harness account.	Yes
`HARNESS_ORG_ID`	`SCS`	The identifier for your Harness organization.	Yes
`HARNESS_PROJECT_ID`	`SCS_ORG`	The identifier for your Harness project within the organization.	Yes
`HARNESS_API_KEY`	`${{ secrets.SCS_API_KEY }}`	The API key for authenticating with Harness. Create an API key using a Service Account (recommended) or a Personal Account , and then add the key to GitHub Actions Secrets with "HARNESS_API_KEY" as the key name.	Yes
`VAULT_ADDR`	`https://myvault.example.com`	The URL of your Vault	No

Security Keys: For attestation generation and verification, Key pair is required. The key should be generated using Cosign of type ecdsa-P256. Currently, HashiCorp Vault is supported for storing and retrieving the key. Additional Key Management Services (KMS) will be supported in the future.

Usage Example

- name: SLSA Provenance Generation
  uses: harness/github-actions/slsa-generation
  with:
    HARNESS_ACCOUNT_URL: https://myaccount.harness.io
    HARNESS_ACCOUNT_ID: my_account_id_9YpRharzPs
    HARNESS_ORG_ID: my_org_id_default
    HARNESS_PROJECT_ID: example_project_id
    HARNESS_API_KEY: ${{ secrets.API_KEY_SAVED_AS_GH_SECRET }}
    VAULT_ADDR: ${{ secrets.VAULT_URL }}
    TARGET: example_image:latest
    ATTEST: true
    KMS_KEY: path/to/your/key

Configuration

Make sure to include the required configurations from the Requirements section in your workflow. Below are the specific configurations for the slsa-generation sub-action.

Key	Value Example	Description	Required
`TARGET`	`example_image:latest`	The target artifact (Docker image) for generating SLSA provenance.	Yes
`ATTEST`	`true` or `false`	Boolean flag to determine if attestation is required.	No
`KMS_KEY`	`path/to/your/key`	Path to the Private key used for signing the attestation.	No

Sample workflow

Here's a sample workflow using the harness/github-actions/slsa-generation

name: SLSA Provenance Generation Workflow

on:
  push:
    branches:
      - main

jobs:
  slsa-generation-job:
    runs-on: self-hosted

    env:
      HARNESS_ACCOUNT_URL: 'https://myaccount.harness.io'
      HARNESS_ACCOUNT_ID: '_myaccount_rzPs_JtWT7g'
      HARNESS_ORG_ID: 'SCS'
      HARNESS_PROJECT_ID: 'SCS_ID'
      HARNESS_API_KEY: ${{ secrets.SCS_API_KEY }}
      VAULT_ADDR: ${{ secrets.VAULT_URL }}

    steps:
      # Step 1: Checkout the main repository
      - name: Checkout Main Repository
        uses: actions/checkout@v3

      # Step 2: Log in to Docker Hub
      - name: Log in to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      # Step 3: Build and Tag Docker Image
      - name: Build and Tag Docker Image
        run: |
          docker build -t harness/github-service:latest -f ./stable/alpine/Dockerfile .
          echo "Docker image built and tagged as harness/github-service:latest."

      # Step 4: Push Docker Image to Docker Hub
      - name: Push Docker Image
        run: |
          docker push harness/github-service:latest
          echo "Docker image pushed to Docker Hub."

      # Step 5: Log in to Vault
      - name: Log in to Vault
        uses: hashicorp/vault-action@v2
        with:
          url: ${{ secrets.VAULT_URL }}
          method: token
          token: ${{ secrets.VAULT_TOKEN }}

      # Step 6: Run SLSA Provenance Generation
      - name: Run SLSA Provenance Action
        uses: harness/github-actions/slsa-generation
        with:
          TARGET: 'harness/github-service:latest'
          ATTEST: true
          KMS_KEY: 'cosign'

To verify the generated SLSA Provenance, refer to Verify SLSA Provenance with GitHub Actions documentation.

Requirements​

Usage Example​

Configuration​

Sample workflow​

Requirements

Usage Example

Configuration

Sample workflow