Skip to main content

Generate SLSA Provenance

You can use Harness SSCA to achieve SLSA Level 2 compliance by generating SLSA Provenance according to the SLSA v1.0 spec. You can also use SSCA to verify SLSA Provenance.


For a step-by-step walkthrough, try this tutorial: Generate and verify SLSA Provenance.

Prepare a pipeline

To generate SLSA Provenance in Harness, you need a pipeline with a CI (build) stage. Additionally, you must use the Build and Push to Docker Registry step to build and push your image. Support for other Build and Push steps is coming soon.

Generate a key pair

Keys are used to sign and verify provenance.

  1. Generate a public and private key pair. For example, you can use Cosign to generate key pairs.
  2. Create two Harness file secrets, one for the private key file and one for the public key file.
  3. Create a Harness text secret to store the password for the private key.

Enable SLSA Provenance generation

Enable SLSA Provenance generation in the Build stage settings.

  1. In your Harness pipeline, select the Build stage, and then select the Overview tab.
  2. Under SLSA Provenance, enable Generate SLSA Provenance.
  3. For Private Key, select the Harness file secret containing the private key file to use to sign the attestation.
  4. For Password, select the Harness text secret containing the password for the private key.

Run the pipeline

When you run a pipeline with SLSA generation enabled, Harness SSCA:

  • Generates an SLSA Provenance for the image created by the Build and Push to Docker Registry step in the Build stage.
  • Generates and signs an attestation using the provided key and password.
  • Stores the SLSA Provenance in Harness and uploads the .att file to your container registry alongside the image.

The signed attestation is stored, as an .att file, in the artifact repository along with the image. You can also find the SLSA Provenance on the Artifacts tab on the Execution details page in Harness. For more information, go to View attestations and violations.

Provenance example

Here's an example of an SLSA Provenance generated by Harness SSCA. The information in your SLSA Provenance might vary depending on your build and changes to the provenance structure applied in SSCA updates. Identifiers, repo names, and other details in this example are anonymized or truncated.

// Predicate:
"predicateType": "",
"predicate": {
"buildDefinition": {
"buildType": "https://...",
"externalParameters": {
"codeMetadata": {
"repositoryURL": "",
"branch": "main",
"commitSha": "ff...c4a"
"triggerMetadata": {
"triggerType": "MANUAL",
"triggeredBy": "firstName lastName"
"buildMetadata": {
"internalParameters": {
"pipelineExecutionId": "BUILD-ID",
"accountId": "HARNESS-ACCOUNT-ID",
"pipelineIdentifier": "PIPELINE-ID"
"runDetails": {
"builder": {
"id": "https://...",
"version": {
"ci-manager": "1.0.5801-000",
"plugins/kaniko": "1.7.5"
"runDetailsMetadata": {
"invocationId": "P2...Q",
"startedOn": "2023-09-15T08:17:49.673Z",
"finishedOn": "2023-09-15T08:19:47.590Z"