Subset: SlsaBuildTrack
Slots and classes related to the SLSA Build Track, which measures the trustworthiness of the build process and resulting provenance.
URI: SlsaBuildTrack
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/slsa
Classes in subset
| Class | Description |
|---|---|
| BuildDefinition | Describes all inputs to the build in enough detail to initialise and reproduc... |
| Builder | Represents the transitive closure of all software, hardware, and entities tru... |
| BuildMetadata | Metadata about a specific invocation of the build, including timing informati... |
| BuildPlatform | The infrastructure (software, hardware, people, and organizations) used to tr... |
| BuildProvenance | An attestation predicate (predicateType "https://slsa |
| Consumer | A party who uses software provided by a producer |
| ControlPlane | The build platform component that orchestrates each independent build executi... |
| DigestSet | A set of cryptographic digests for an artifact, keyed by algorithm name (e |
| InfrastructureProvider | A party who provides software or services to other roles in the supply chain,... |
| Package | An identifiable unit of software intended for distribution |
| Producer | A party who creates software and provides it to others |
| ResourceDescriptor | A reference to a software artifact including its location, digest, and option... |
| RunDetails | Details specific to this particular execution of the build, including the tru... |
| SlsaDocument | Root wrapper for any SLSA attestation payload |
| Statement | The middle layer of an in-toto software attestation (Statement v1) |
| VerificationSummaryAttestation | An attestation predicate (predicateType "https://slsa |
| Verifier | The entity that performed verification of an artifact and issued a Verificati... |
Slots from BuildDefinition also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| buildType | 1 String |
URI identifying the template for how to perform the build and how to interpre... |
| externalParameters | 0..1 String |
Top-level, independent inputs under external (tenant or user) control |
| hermeticBuild | 0..1 Boolean |
Whether all build inputs are fully isolated to the dependencies declared in r... |
| internalParameters | 0..1 String |
Parameters set internally by the build platform |
| pipelineOrchestrator | 0..1 String |
URI or name of the CI/CD pipeline orchestration system that coordinated this ... |
| provenanceGenerationTool | 0..1 String |
URI or name of the tool used to generate provenance for this build (e |
| resolvedDependencies | * ResourceDescriptor |
Unordered collection of artifacts needed at build time (config files, source,... |
Slots from Builder also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| builderDependencies | * ResourceDescriptor |
Dependencies used by the control plane orchestrator that are not run within t... |
| id | 1 String |
A URI uniquely identifying an entity (build platform, verifier, build image, ... |
| version | 0..1 String |
Map of component names to their version strings, represented as a JSON object... |
| versionTag | 0..1 String |
A semantic version tag (e |
Slots from BuildMetadata also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| finishedOn | 0..1 String |
Timestamp (RFC 3339) of when the build completed |
| invocationId | 0..1 String |
A globally unique identifier for a build invocation, useful for finding assoc... |
| startedOn | 0..1 String |
Timestamp (RFC 3339) of when the build started |
Slots from BuildPlatform also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| buildLevel | 0..1 BuildLevelEnum |
The SLSA Build Level this platform is capable of producing, as determined by ... |
| id | 1 String |
A URI uniquely identifying an entity (build platform, verifier, build image, ... |
| isHosted | 0..1 Boolean |
True if this is a hosted (multi-tenant) platform running on shared or dedicat... |
Slots from BuildProvenance also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| _type | 1 String |
Always "https://in-toto |
| attestationStorageUri | 0..1 String |
URI indicating where this signed attestation is publicly stored or retrievabl... |
| buildDefinition | 1 BuildDefinition |
All inputs to the build, sufficient to initialise and reproduce it |
| predicate | 0..1 String |
The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType | 1 String |
URI identifying the schema and semantics of the predicate field |
| runDetails | 1 RunDetails |
Details specific to this particular execution of the build, including builder... |
| signingTool | 0..1 String |
URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry | 0..1 String |
URI of the Rekor transparency log entry recording this attestation or artifac... |
| subject | 1..* ResourceDescriptor |
The set of software artifacts to which a predicate applies |
Slots from DigestSet also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| gitCommit | 0..1 String |
Git commit SHA identifying a source-backed artifact |
| sha256 | 0..1 String |
Lowercase hex-encoded SHA-256 digest of the artifact |
| sha512 | 0..1 String |
Lowercase hex-encoded SHA-512 digest of the artifact |
Slots from Package also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| artifact | 0..1 ResourceDescriptor |
A specific immutable package artifact or the artifact whose dependency invent... |
| ecosystem | 0..1 String |
The package ecosystem (e |
| name | 0..1 String |
A local name for a resource within the context of an attestation, or the name... |
| registry | 0..1 String |
URI of the package registry where a package is published and from which consu... |
Slots from Producer also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| buildPlatformId | 0..1 String |
URI of the build platform chosen to produce artifacts |
| name | 0..1 String |
A local name for a resource within the context of an attestation, or the name... |
Slots from ResourceDescriptor also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| annotations | * String |
Arbitrary vendor-specific key-value annotations |
| digest | 0..1 DigestSet |
Set of cryptographic digests of a resource's content used for integrity verif... |
| downloadLocation | 0..1 String |
URI from which a resource can be downloaded, if different from its identifyin... |
| mediaType | 0..1 String |
IANA media type of a resource's content (e |
| name | 0..1 String |
A local name for a resource within the context of an attestation, or the name... |
| uri | 0..1 String |
A URI uniquely identifying a resource, such as a package URL (purl), git repo... |
Slots from RunDetails also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| builder | 1 Builder |
Identifies the build platform that executed the build and is trusted to have ... |
| buildMetadata | 0..1 BuildMetadata |
Metadata about this particular build execution |
| byproducts | * ResourceDescriptor |
Additional artifacts produced during the build that are NOT the primary outpu... |
Slots from SlsaDocument also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| buildDefinition | 1 BuildDefinition |
All inputs to the build, sufficient to initialise and reproduce it |
| runDetails | 1 RunDetails |
Details specific to this particular execution of the build, including builder... |
| verificationResult | 1 VerificationResultEnum |
Whether the artifact passed or failed policy verification |
| verifiedLevels | 1..* SlsaResultEnum |
The highest verified SLSA level for each applicable track (not including tran... |
| verifier | 1 Verifier |
Identifies the entity that performed the verification |
Slots from Statement also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| _type | 1 String |
Always "https://in-toto |
| attestationStorageUri | 0..1 String |
URI indicating where this signed attestation is publicly stored or retrievabl... |
| predicate | 0..1 String |
The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType | 1 String |
URI identifying the schema and semantics of the predicate field |
| signingTool | 0..1 String |
URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry | 0..1 String |
URI of the Rekor transparency log entry recording this attestation or artifac... |
| subject | 1..* ResourceDescriptor |
The set of software artifacts to which a predicate applies |
Slots from VerificationSummaryAttestation also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| _type | 1 String |
Always "https://in-toto |
| attestationStorageUri | 0..1 String |
URI indicating where this signed attestation is publicly stored or retrievabl... |
| dependencyLevels | 0..1 String |
Map from SlsaResult to count of transitive dependencies verified at that leve... |
| inputAttestations | * ResourceDescriptor |
All attestations consulted during verification |
| policy | 1 ResourceDescriptor |
The policy the subject was verified against |
| predicate | 0..1 String |
The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType | 1 String |
URI identifying the schema and semantics of the predicate field |
| resourceUri | 1 String |
URI identifying the resource associated with the artifact being verified |
| signingTool | 0..1 String |
URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry | 0..1 String |
URI of the Rekor transparency log entry recording this attestation or artifac... |
| slsaVersion | 0..1 String |
Version of the SLSA specification used during verification, in MAJOR |
| subject | 1..* ResourceDescriptor |
The set of software artifacts to which a predicate applies |
| timeVerified | 0..1 String |
Timestamp (RFC 3339) indicating when the verification occurred |
| verificationResult | 1 VerificationResultEnum |
Whether the artifact passed or failed policy verification |
| verifiedLevels | 1..* SlsaResultEnum |
The highest verified SLSA level for each applicable track (not including tran... |
| verifier | 1 Verifier |
Identifies the entity that performed the verification |
Slots from Verifier also in slsa_build_track
| Name | Cardinality and Range | Description |
|---|---|---|
| id | 1 String |
A URI uniquely identifying an entity (build platform, verifier, build image, ... |
| version | 0..1 String |
Map of component names to their version strings, represented as a JSON object... |
Slots in subset
| Slot | Description |
|---|---|
| _type | Always "https://in-toto |
| annotations | Arbitrary vendor-specific key-value annotations |
| artifact | A specific immutable package artifact or the artifact whose dependency invent... |
| attestationStorageUri | URI indicating where this signed attestation is publicly stored or retrievabl... |
| buildDefinition | All inputs to the build, sufficient to initialise and reproduce it |
| builder | Identifies the build platform that executed the build and is trusted to have ... |
| builderDependencies | Dependencies used by the control plane orchestrator that are not run within t... |
| buildLevel | The SLSA Build Level this platform is capable of producing, as determined by ... |
| buildMetadata | Metadata about this particular build execution |
| buildPlatformId | URI of the build platform chosen to produce artifacts |
| buildType | URI identifying the template for how to perform the build and how to interpre... |
| byproducts | Additional artifacts produced during the build that are NOT the primary outpu... |
| dependencyLevels | Map from SlsaResult to count of transitive dependencies verified at that leve... |
| digest | Set of cryptographic digests of a resource's content used for integrity verif... |
| downloadLocation | URI from which a resource can be downloaded, if different from its identifyin... |
| ecosystem | The package ecosystem (e |
| externalParameters | Top-level, independent inputs under external (tenant or user) control |
| finishedOn | Timestamp (RFC 3339) of when the build completed |
| gitCommit | Git commit SHA identifying a source-backed artifact |
| guacUri | URI to query the GUAC (Graph for Understanding Artifact Composition) instance... |
| hermeticBuild | Whether all build inputs are fully isolated to the dependencies declared in r... |
| id | A URI uniquely identifying an entity (build platform, verifier, build image, ... |
| inputAttestations | All attestations consulted during verification |
| internalParameters | Parameters set internally by the build platform |
| invocationId | A globally unique identifier for a build invocation, useful for finding assoc... |
| isHosted | True if this is a hosted (multi-tenant) platform running on shared or dedicat... |
| mediaType | IANA media type of a resource's content (e |
| name | A local name for a resource within the context of an attestation, or the name... |
| pipelineOrchestrator | URI or name of the CI/CD pipeline orchestration system that coordinated this ... |
| policy | The policy the subject was verified against |
| predicate | The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType | URI identifying the schema and semantics of the predicate field |
| provenanceGenerationTool | URI or name of the tool used to generate provenance for this build (e |
| registry | URI of the package registry where a package is published and from which consu... |
| resolvedDependencies | Unordered collection of artifacts needed at build time (config files, source,... |
| resourceUri | URI identifying the resource associated with the artifact being verified |
| runDetails | Details specific to this particular execution of the build, including builder... |
| securityInsightsUri | URI to the SECURITY-INSIGHTS |
| sha256 | Lowercase hex-encoded SHA-256 digest of the artifact |
| sha512 | Lowercase hex-encoded SHA-512 digest of the artifact |
| signingTool | URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry | URI of the Rekor transparency log entry recording this attestation or artifac... |
| slsaVersion | Version of the SLSA specification used during verification, in MAJOR |
| startedOn | Timestamp (RFC 3339) of when the build started |
| subject | The set of software artifacts to which a predicate applies |
| timeVerified | Timestamp (RFC 3339) indicating when the verification occurred |
| uri | A URI uniquely identifying a resource, such as a package URL (purl), git repo... |
| verificationResult | Whether the artifact passed or failed policy verification |
| verifiedLevels | The highest verified SLSA level for each applicable track (not including tran... |
| verifier | Identifies the entity that performed the verification |
| version | Map of component names to their version strings, represented as a JSON object... |
| versionTag | A semantic version tag (e |
Enumerations in subset
| Enumeration | Description |
|---|---|
| BuildLevelEnum | SLSA Build Track levels providing increasing supply chain security guarantees... |
| SlsaResultEnum | A named SLSA result used in Verification Summary Attestations to indicate the... |
| VerificationResultEnum | Outcome of a policy verification check on an artifact |