| _type |
Always "https://in-toto |
| adoptionMetadata |
Optional structured metadata recording the SLSA adoption challenges and mitig... |
| annotations |
Arbitrary vendor-specific key-value annotations |
| artifact |
A specific immutable package artifact or the artifact whose dependency invent... |
| attestationStorageUri |
URI indicating where this signed attestation is publicly stored or retrievabl... |
| author |
Identity of the person or automation that authored this revision (e |
| buildDefinition |
All inputs to the build, sufficient to initialise and reproduce it |
| buildEnvLevel |
The SLSA Build Environment Level supported or represented, reflecting the str... |
| builder |
Identifies the build platform that executed the build and is trusted to have ... |
| builderDependencies |
Dependencies used by the control plane orchestrator that are not run within t... |
| buildId |
An immutable identifier uniquely assigned to a build execution (e |
| buildImage |
The build image from which the build environment was instantiated |
| buildLevel |
The SLSA Build Level this platform is capable of producing, as determined by ... |
| buildMetadata |
Metadata about this particular build execution |
| buildPlatformId |
URI of the build platform chosen to produce artifacts |
| buildType |
URI identifying the template for how to perform the build and how to interpre... |
| byproducts |
Additional artifacts produced during the build that are NOT the primary outpu... |
| challenges |
The adoption challenge themes that apply to this attestation or deployment co... |
| controlsEnforced |
Technical controls actively enforced by the Source Control System when this r... |
| dependencies |
All third-party build dependencies (direct and transitive) for an artifact ve... |
| dependencyLevel |
The SLSA Dependency Level that this inventory and associated triage process s... |
| dependencyLevels |
Map from SlsaResult to count of transitive dependencies verified at that leve... |
| description |
Human-readable description of a repository's purpose or a resource |
| digest |
Set of cryptographic digests of a resource's content used for integrity verif... |
| downloadLocation |
URI from which a resource can be downloaded, if different from its identifyin... |
| ecosystem |
The package ecosystem (e |
| externalParameters |
Top-level, independent inputs under external (tenant or user) control |
| finishedOn |
Timestamp (RFC 3339) of when the build completed |
| gitCommit |
Git commit SHA identifying a source-backed artifact |
| guacUri |
URI to query the GUAC (Graph for Understanding Artifact Composition) instance... |
| hermeticBuild |
Whether all build inputs are fully isolated to the dependencies declared in r... |
| id |
A URI uniquely identifying an entity (build platform, verifier, build image, ... |
| inputAttestations |
All attestations consulted during verification |
| internalParameters |
Parameters set internally by the build platform |
| invocationId |
A globally unique identifier for a build invocation, useful for finding assoc... |
| isHosted |
True if this is a hosted (multi-tenant) platform running on shared or dedicat... |
| measurements |
Cryptographic measurements (hashes) of build environment components captured ... |
| mediaType |
IANA media type of a resource's content (e |
| name |
A local name for a resource within the context of an attestation, or the name... |
| parentRevisions |
Revision IDs of the parent revision(s), forming the directed acyclic graph of... |
| pipelineOrchestrator |
URI or name of the CI/CD pipeline orchestration system that coordinated this ... |
| policy |
The policy the subject was verified against |
| predicate |
The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType |
URI identifying the schema and semantics of the predicate field |
| provenance |
SLSA Build Provenance for a build image, describing how the image itself was ... |
| provenanceGenerationTool |
URI or name of the tool used to generate provenance for this build (e |
| registry |
URI of the package registry where a package is published and from which consu... |
| repository |
The source repository that contains this revision |
| resolvedDependencies |
Unordered collection of artifacts needed at build time (config files, source,... |
| resourceUri |
URI identifying the resource associated with the artifact being verified |
| reviewType |
The type of human or automated review process used to approve this source rev... |
| revision |
The source revision that this attestation describes |
| revisionId |
Immutable identifier for a source revision (e |
| runDetails |
Details specific to this particular execution of the build, including builder... |
| securityInsightsUri |
URI to the SECURITY-INSIGHTS |
| sha256 |
Lowercase hex-encoded SHA-256 digest of the artifact |
| sha512 |
Lowercase hex-encoded SHA-512 digest of the artifact |
| signingTool |
URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry |
URI of the Rekor transparency log entry recording this attestation or artifac... |
| slsaVersion |
Version of the SLSA specification used during verification, in MAJOR |
| sourceLevel |
The SLSA Source Level achieved or verified for a source repository or revisio... |
| startedOn |
Timestamp (RFC 3339) of when the build started |
| strategies |
The mitigation strategies being employed or recommended in this attestation o... |
| subject |
The set of software artifacts to which a predicate applies |
| timestamp |
Timestamp (RFC 3339) of when this source revision was created |
| timeVerified |
Timestamp (RFC 3339) indicating when the verification occurred |
| uri |
A URI uniquely identifying a resource, such as a package URL (purl), git repo... |
| verificationResult |
Whether the artifact passed or failed policy verification |
| verifiedLevels |
The highest verified SLSA level for each applicable track (not including tran... |
| verifier |
Identifies the entity that performed the verification |
| version |
Map of component names to their version strings, represented as a JSON object... |
| versionTag |
A semantic version tag (e |