Verified steps

Configure your build system to run inside a hardened, isolated build environment that satisfies SLSA L3 isolation requirements
Instrument the build to record the exact source commit, build parameters, and environment variables as provenance metadata
Produce an in-toto attestation envelope with the SLSA provenance predicate type and sign it with a key or OIDC-bound certificate
Upload the signed attestation to a transparency log or attach it to the artifact in your registry
Verify the attestation subject matches the artifact digest before promotion
Publish provenance alongside the artifact so consumers can independently verify build authenticity

Known gotchas

SLSA L3 requires the build platform itself to be trusted, not just the build script; running an L3 predicate from an untrusted CI runner does not satisfy the level
The attestation subject must be the digest of the final artifact, not an intermediate build output; mismatch breaks verification
Provenance predicates must reference a specific buildType URI; using an undefined or generic URI will cause policy evaluation to reject the attestation

github.com/slsa-framework/slsa-github-generator · 5 steps · unrated

Generate SLSA level 3 build provenance for a GitHub Actions workflow using slsa-github-generator

slsa.dev/spec · 6 steps · unrated

Generate SLSA Build Level 2 provenance attestations in GitHub Actions and verify with slsa-verifier

docs.github.com/actions/security-for-github-actions/using-artifact-attestations · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Generate SLSA build level 3 provenance as an in-toto attestation predicate

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes