Add a GitHub Actions workflow that calls the slsa-github-generator container generator workflow at .github/workflows/generator_container_slsa3.yml in the slsa-framework/slsa-github-generator repository
Pass the required inputs including image digest (sha256:...) and optionally the image registry and tags
Ensure the calling workflow grants id-token: write and contents: read permissions so the generator can sign provenance with a short-lived OIDC token
The generator produces SLSA Build Level 3 provenance; there is no L2 container generator in slsa-github-generator
After the workflow completes, the signed provenance attestation is published to the OCI registry alongside the image
Verify the resulting attestation using slsa-verifier or cosign verify-attestation with appropriate policy flags
Known gotchas
The container generator (generator_container_slsa3.yml) only targets SLSA Build L3; there is no separate L2 container generator workflow
You must pass the digest (not a mutable tag) as the image reference so provenance is bound to an immutable artifact
The calling workflow must pin the generator to a specific release tag and verify the tag hash to prevent supply-chain substitution attacks on the generator itself
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp