You can use Harness SSCA to verify SLSA Provenance and confirm that you can trust an artifact before deployment. You can also use SSCA to generate SLSA Provenance.
For a step-by-step walkthrough, try this tutorial: Generate and verify SLSA Provenance.
Prepare a pipeline
To verify SLSA Provenance in Harness, you need a pipeline with a CD (deploy) stage.
Get the public key
Keys are used to sign and verify provenance.
Create a Harness file secret containing the public key file that corresponds with the private key file that was used to sign and attest the provenance.
For example, if your pipeline includes provenance generation, then you need to use the public key that corresponds to the private key you used for provenance generation.
Create SLSA policies
You must create a set of OPA policies that you want Harness SSCA to use for SLSA Provenance verification. You can create a dedicated SLSA Provenance verification policy set or use existing policy sets that you've already created. For more information about creating policies in Harness, go to the Harness Policy As Code overview.
OPA polices used for SLSA Provenance verification are different from SSCA policies used for SSCA policy enforcement.
- In your Harness Project, under Project Setup, go to Policies. You can also create policies at the Account and Org scopes.
- Select Policies, and then create policies for the individual rules that you want to enforce. You can select from the policy library or write your own policies.
- Create policy sets to group related policies. You must have at least one policy set.
SLSA policy example
Here's an example of an OPA policy that could be used to verify an SLSA Provenance generated in Harness. If you are verifying provenance from a third-party build system provider, make sure your OPA policies reflect the provenance structure used by that build system provider. Different providers might use different SLSA Provenance structures.
# Build repo must be 'https://github.com/abc/abc-sample'. SLSA verification fails if a different repo is detected.
input.outcome.stepArtifacts.provenanceArtifacts.predicate.buildDefinition.externalParameters.codeMetadata.repositoryURL != "https://github.com/abc/abc-sample"
msg := "Repository verification failed in Provenance"
# Build branch must be 'main'. SLSA verification fails if a different branch is detected.
input.outcome.stepArtifacts.provenanceArtifacts.predicate.buildDefinition.externalParameters.codeMetadata.branch != "main"
msg := "Branch verification failed in provenance"
Add the SLSA Verification step
Use the SLSA Verification step in a Deploy stage to verify provenance. This is a container step that must be inside a container group.
Configure SLSA Verification step settings
The SLSA Verification step has the following settings:
- Name: Enter a name for the step.
- Container Registry: Select the Docker Registry connector that is configured for the Docker-compliant container registry where the artifact is stored, such as Docker Hub, Amazon ECR, or GCR.
- Image: Enter the repo path (in your container registry) for the image that you want to verify, such as
- Tag: Enter the tag for the image, such as
- Public Key: Select the Harness file secret containing the public key to use to verify the authenticity of the attestation.
If you're using Docker-compliant ECR or GCR repositories, you must:
Select SLSA policies to enforce
On the Advanced tab for the SLSA Verification step, expand the Policy Enforcement section, and then add your SLSA Provenance verification OPA policies.
Run the pipeline
When the pipeline runs, the SLSA Verification step does the following:
- Verifies the authenticity of the attestation.
- Verifies the provenance data by applying the specified policy set.
- Records the policy evaluation results in the step's logs.
- Reports the overall pass/fail for SLSA verification on the Artifacts tab.
For more information about inspecting SLSA verification results, go to View attestations and violations.
Verify provenance from third-party build systems
You can use Harness SSCA to verify provenance generated by third-party build systems.
To do this: