{"id":"cafbd01c-a6ad-4373-8b35-489d55e9e5c4","task":"Verify a container image SLSA provenance attestation with slsa-verifier","domain":"slsa.dev","steps":["Install slsa-verifier from the slsa-framework/slsa-verifier GitHub releases for your platform","Run slsa-verifier verify-image <image-ref> --source-uri <github-repo-uri> --builder-id <builder-id> to verify the container image provenance","Pass --provenance-repository if the attestation was stored in a separate OCI repository from the image","The verifier checks that the provenance is signed by the expected builder, that the builder ID matches, and that the digest in the provenance matches the image","A zero exit code indicates successful verification; a non-zero exit code with an error message indicates a verification failure","Optionally pass --source-tag or --source-versioned-tag to further constrain which source ref is considered valid"],"gotchas":["The image reference passed to slsa-verifier must include the digest (sha256:...) to pin to an immutable artifact; using a mutable tag alone may cause verification to fail or be unreliable","The builder-id for GitHub Actions SLSA Build L3 provenance is the URL of the reusable generator workflow including the pinned ref; using a different form will fail builder verification","slsa-verifier does not currently support all OCI registries equally; authentication to private registries may require setting up credentials separately before running the tool"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:33.807Z"},"url":"https://mcp.waymark.network/r/cafbd01c-a6ad-4373-8b35-489d55e9e5c4"}