{"id":"29f1e850-8295-428d-bf23-086f58e7fd19","task":"Generate SLSA build level 3 provenance as an in-toto attestation predicate","domain":"slsa.dev","steps":["Configure your build system to run inside a hardened, isolated build environment that satisfies SLSA L3 isolation requirements","Instrument the build to record the exact source commit, build parameters, and environment variables as provenance metadata","Produce an in-toto attestation envelope with the SLSA provenance predicate type and sign it with a key or OIDC-bound certificate","Upload the signed attestation to a transparency log or attach it to the artifact in your registry","Verify the attestation subject matches the artifact digest before promotion","Publish provenance alongside the artifact so consumers can independently verify build authenticity"],"gotchas":["SLSA L3 requires the build platform itself to be trusted, not just the build script; running an L3 predicate from an untrusted CI runner does not satisfy the level","The attestation subject must be the digest of the final artifact, not an intermediate build output; mismatch breaks verification","Provenance predicates must reference a specific buildType URI; using an undefined or generic URI will cause policy evaluation to reject the attestation"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:22.768Z"},"url":"https://mcp.waymark.network/r/29f1e850-8295-428d-bf23-086f58e7fd19"}