Skip to content

Class: BuildDefinition

Describes all inputs to the build in enough detail to initialise and reproduce the build. The accuracy and completeness are implied by the builder identified in runDetails.

URI: slsa:BuildDefinition

 classDiagram
    class BuildDefinition
    click BuildDefinition href "../BuildDefinition/"
      BuildDefinition : buildType

      BuildDefinition : externalParameters

      BuildDefinition : hermeticBuild

      BuildDefinition : internalParameters

      BuildDefinition : pipelineOrchestrator

      BuildDefinition : provenanceGenerationTool

      BuildDefinition : resolvedDependencies





        BuildDefinition --> "*" ResourceDescriptor : resolvedDependencies
        click ResourceDescriptor href "../ResourceDescriptor/"

Slots

Name Cardinality and Range Description Inheritance
buildType 1
String		 URI identifying the template for how to perform the build and how to interpre... direct
externalParameters 0..1
String		 Top-level, independent inputs under external (tenant or user) control direct
internalParameters 0..1
String		 Parameters set internally by the build platform direct
resolvedDependencies *
ResourceDescriptor		 Unordered collection of artifacts needed at build time (config files, source,... direct
hermeticBuild 0..1
Boolean		 Whether all build inputs are fully isolated to the dependencies declared in r... direct
provenanceGenerationTool 0..1
String		 URI or name of the tool used to generate provenance for this build (e direct
pipelineOrchestrator 0..1
String		 URI or name of the CI/CD pipeline orchestration system that coordinated this ... direct

Usages

used by used in type used
SlsaDocument buildDefinition range BuildDefinition
BuildProvenance buildDefinition range BuildDefinition

In Subsets

Notes

  • Hermetic build challenge (Tamanna et al., 2024, CI.1): Over 50% of practitioners surveyed by OpenSSF found hermetic builds difficult to implement. Non-build configurations (e.g., GoReleaser publish-only steps) lack explicit hermetic-build tool support. Use hermeticBuild to record whether L3 isolation is satisfied.
  • Provenance generation standardization (Tamanna et al., 2024, S3.1): Recording which tool generated this provenance via provenanceGenerationTool supports standardization, reproducibility verification, and incident response.

Identifier and Mapping Information

Schema Source

  • from schema: https://w3id.org/lmodel/slsa

Mappings

Mapping Type Mapped Value
self slsa:BuildDefinition
native slsa:BuildDefinition

LinkML Source

Direct

name: BuildDefinition
description: Describes all inputs to the build in enough detail to initialise and
  reproduce the build. The accuracy and completeness are implied by the builder identified
  in runDetails.
notes:
- 'Hermetic build challenge (Tamanna et al., 2024, CI.1): Over 50% of practitioners
  surveyed by OpenSSF found hermetic builds difficult to implement. Non-build configurations
  (e.g., GoReleaser publish-only steps) lack explicit hermetic-build tool support.
  Use hermeticBuild to record whether L3 isolation is satisfied.'
- 'Provenance generation standardization (Tamanna et al., 2024, S3.1): Recording which
  tool generated this provenance via provenanceGenerationTool supports standardization,
  reproducibility verification, and incident response.'
in_subset:
- slsa_build_track
from_schema: https://w3id.org/lmodel/slsa
slots:
- buildType
- externalParameters
- internalParameters
- resolvedDependencies
- hermeticBuild
- provenanceGenerationTool
- pipelineOrchestrator

Induced

name: BuildDefinition
description: Describes all inputs to the build in enough detail to initialise and
  reproduce the build. The accuracy and completeness are implied by the builder identified
  in runDetails.
notes:
- 'Hermetic build challenge (Tamanna et al., 2024, CI.1): Over 50% of practitioners
  surveyed by OpenSSF found hermetic builds difficult to implement. Non-build configurations
  (e.g., GoReleaser publish-only steps) lack explicit hermetic-build tool support.
  Use hermeticBuild to record whether L3 isolation is satisfied.'
- 'Provenance generation standardization (Tamanna et al., 2024, S3.1): Recording which
  tool generated this provenance via provenanceGenerationTool supports standardization,
  reproducibility verification, and incident response.'
in_subset:
- slsa_build_track
from_schema: https://w3id.org/lmodel/slsa
attributes:
  buildType:
    name: buildType
    description: URI identifying the template for how to perform the build and how
      to interpret the parameters and dependencies. SHOULD resolve to a human-readable
      specification. REQUIRED at SLSA Build L1.
    in_subset:
    - slsa_build_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: buildType
    owner: BuildDefinition
    domain_of:
    - BuildDefinition
    range: string
    required: true
  externalParameters:
    name: externalParameters
    description: Top-level, independent inputs under external (tenant or user) control.
      MUST be complete at SLSA Build L3. Stored as a JSON object. Verifiers SHOULD
      reject unrecognized fields.
    notes:
    - 'SSF pipeline definition files (CNCF TAG-Security Secure Software Factory):
      In Tekton-based SSF pipelines, externalParameters typically contains the PipelineRun
      YAML reference or TaskRun definition URI. For GitHub Actions, it would contain
      the workflow file path and ref. These values MUST be complete and verifiable
      at SLSA Build L3 so that consumers can confirm the exact build recipe. Use pipelineOrchestrator
      to record the CI system and provenanceGenerationTool (in BuildDefinition) to
      record the attestation generator (e.g., Tekton Chains).'
    in_subset:
    - slsa_build_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: externalParameters
    owner: BuildDefinition
    domain_of:
    - BuildDefinition
    range: string
  internalParameters:
    name: internalParameters
    description: Parameters set internally by the build platform. Intended for debugging,
      incident response, and enabling reproducible builds. Stored as a JSON object;
      need not be verified by consumers.
    in_subset:
    - slsa_build_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: internalParameters
    owner: BuildDefinition
    domain_of:
    - BuildDefinition
    range: string
  resolvedDependencies:
    name: resolvedDependencies
    description: Unordered collection of artifacts needed at build time (config files,
      source, build tools). Completeness is best effort through SLSA Build L3.
    in_subset:
    - slsa_build_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: resolvedDependencies
    owner: BuildDefinition
    domain_of:
    - BuildDefinition
    range: ResourceDescriptor
    multivalued: true
    inlined: true
    inlined_as_list: true
  hermeticBuild:
    name: hermeticBuild
    description: Whether all build inputs are fully isolated to the dependencies declared
      in resolvedDependencies, with no network access or filesystem references outside
      the explicit build graph. Hermetic builds are a stated requirement for SLSA
      Build L3; practitioners identified this as one of the most commonly cited implementation
      barriers, with over 50% of surveyed practitioners finding hermetic build requirements
      difficult to implement (Tamanna et al., 2024, CI.1).
    in_subset:
    - slsa_build_track
    - slsa_adoption_study
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: hermeticBuild
    owner: BuildDefinition
    domain_of:
    - BuildDefinition
    range: boolean
  provenanceGenerationTool:
    name: provenanceGenerationTool
    description: URI or name of the tool used to generate provenance for this build
      (e.g., "https://github.com/slsa-framework/slsa-github-generator"). Standardizing
      this field across builds reduces confusion, supports reproducibility verification,
      and aligns with the recommended strategy of simplifying and standardizing provenance
      generation processes (Tamanna et al., 2024, S3.1).
    in_subset:
    - slsa_build_track
    - slsa_adoption_study
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: provenanceGenerationTool
    owner: BuildDefinition
    domain_of:
    - BuildDefinition
    range: string
  pipelineOrchestrator:
    name: pipelineOrchestrator
    description: URI or name of the CI/CD pipeline orchestration system that coordinated
      this build (e.g., "https://tekton.dev", "https://github.com/features/actions",
      "https://jenkins.io"). In the SSF reference architecture this is the Build Service
      layer that feeds the Artifact Registry. Providing this field helps distinguish
      the orchestrator from the provenance-generating builder identity (builder.id)
      in complex deployments where they differ (e.g., a Tekton Pipeline running on
      Google Cloud Pipelines).
    in_subset:
    - slsa_build_track
    - slsa_ssf
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: pipelineOrchestrator
    owner: BuildDefinition
    domain_of:
    - BuildDefinition
    range: string