{"id":"42c2ec09-e1a5-479e-bc7a-33c917173361","task":"Verify SLSA build provenance for a container image using slsa-verifier and enforce source and builder constraints","domain":"security/compliance","steps":["Install slsa-verifier; it is a standalone binary that verifies SLSA provenance attestations stored in OCI registries or as separate files.","Run slsa-verifier verify-image <image-digest-reference> --source-uri <expected-repo-uri> --builder-id <expected-builder-id> to verify both the provenance signature and the claimed source repository and builder.","Confirm the exit code: slsa-verifier exits 0 on successful verification and non-zero on failure, making it suitable for use as a pipeline gate.","For non-container artifacts, use slsa-verifier verify-artifact <artifact-path> --provenance-path <provenance-file> --source-uri <expected-repo-uri> to verify file-based provenance.","Integrate slsa-verifier into a deployment pipeline step that runs before deploying to production, so only images with verified provenance matching the expected source and builder are promoted."],"gotchas":["The --builder-id flag must match the exact builder URI embedded in the provenance; for slsa-github-generator reusable workflows this is the workflow ref URI — verify the expected value by inspecting a provenance attestation first.","slsa-verifier retrieves attestations from the OCI registry by default for images; ensure the registry is reachable and the image digest is used (not a tag) to guarantee you are verifying the correct artifact.","SLSA verification confirms provenance integrity but does not scan for vulnerabilities; it is one layer in a supply-chain defense stack, not a substitute for SBOM-based vulnerability scanning."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample"},"url":"https://mcp.waymark.network/r/42c2ec09-e1a5-479e-bc7a-33c917173361"}