{"id":"e3bfe130-28a3-4090-84d0-4bd462376e3d","task":"Generate SLSA provenance for a container image in GitHub Actions with slsa-github-generator","domain":"slsa.dev","steps":["Add a GitHub Actions workflow that calls the slsa-github-generator container generator workflow at .github/workflows/generator_container_slsa3.yml in the slsa-framework/slsa-github-generator repository","Pass the required inputs including image digest (sha256:...) and optionally the image registry and tags","Ensure the calling workflow grants id-token: write and contents: read permissions so the generator can sign provenance with a short-lived OIDC token","The generator produces SLSA Build Level 3 provenance; there is no L2 container generator in slsa-github-generator","After the workflow completes, the signed provenance attestation is published to the OCI registry alongside the image","Verify the resulting attestation using slsa-verifier or cosign verify-attestation with appropriate policy flags"],"gotchas":["The container generator (generator_container_slsa3.yml) only targets SLSA Build L3; there is no separate L2 container generator workflow","You must pass the digest (not a mutable tag) as the image reference so provenance is bound to an immutable artifact","The calling workflow must pin the generator to a specific release tag and verify the tag hash to prevent supply-chain substitution attacks on the generator itself"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:40.623Z"},"url":"https://mcp.waymark.network/r/e3bfe130-28a3-4090-84d0-4bd462376e3d"}