Subset: SlsaSourceTrack
Slots and classes related to the SLSA Source Track, which measures the trustworthiness of how source revisions are created and managed.
URI: SlsaSourceTrack
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/slsa
Classes in subset
| Class | Description |
|---|---|
| Consumer | A party who uses software provided by a producer |
| DigestSet | A set of cryptographic digests for an artifact, keyed by algorithm name (e |
| InfrastructureProvider | A party who provides software or services to other roles in the supply chain,... |
| ResourceDescriptor | A reference to a software artifact including its location, digest, and option... |
| SourceProvenanceAttestation | An attestation describing how a source revision came to exist: where it was h... |
| SourceRepository | A self-contained unit that holds the content and complete revision history fo... |
| SourceRevision | A specific, logically immutable snapshot of a source repository's tracked fil... |
| Statement | The middle layer of an in-toto software attestation (Statement v1) |
| VerificationSummaryAttestation | An attestation predicate (predicateType "https://slsa |
| Verifier | The entity that performed verification of an artifact and issued a Verificati... |
Slots from DigestSet also in slsa_source_track
| Name | Cardinality and Range | Description |
|---|---|---|
| gitCommit | 0..1 String |
Git commit SHA identifying a source-backed artifact |
| sha256 | 0..1 String |
Lowercase hex-encoded SHA-256 digest of the artifact |
| sha512 | 0..1 String |
Lowercase hex-encoded SHA-512 digest of the artifact |
Slots from ResourceDescriptor also in slsa_source_track
| Name | Cardinality and Range | Description |
|---|---|---|
| annotations | * String |
Arbitrary vendor-specific key-value annotations |
| digest | 0..1 DigestSet |
Set of cryptographic digests of a resource's content used for integrity verif... |
| name | 0..1 String |
A local name for a resource within the context of an attestation, or the name... |
| uri | 0..1 String |
A URI uniquely identifying a resource, such as a package URL (purl), git repo... |
Slots from SourceProvenanceAttestation also in slsa_source_track
| Name | Cardinality and Range | Description |
|---|---|---|
| _type | 1 String |
Always "https://in-toto |
| attestationStorageUri | 0..1 String |
URI indicating where this signed attestation is publicly stored or retrievabl... |
| controlsEnforced | * String |
Technical controls actively enforced by the Source Control System when this r... |
| predicate | 0..1 String |
The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType | 1 String |
URI identifying the schema and semantics of the predicate field |
| revision | 0..1 SourceRevision |
The source revision that this attestation describes |
| signingTool | 0..1 String |
URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry | 0..1 String |
URI of the Rekor transparency log entry recording this attestation or artifac... |
| sourceLevel | 0..1 SourceLevelEnum |
The SLSA Source Level achieved or verified for a source repository or revisio... |
| subject | 1..* ResourceDescriptor |
The set of software artifacts to which a predicate applies |
Slots from SourceRepository also in slsa_source_track
| Name | Cardinality and Range | Description |
|---|---|---|
| description | 0..1 String |
Human-readable description of a repository's purpose or a resource |
| id | 1 String |
Canonical URI that uniquely identifies this source repository |
| sourceLevel | 0..1 SourceLevelEnum |
The SLSA Source Level achieved or verified for a source repository or revisio... |
Slots from SourceRevision also in slsa_source_track
| Name | Cardinality and Range | Description |
|---|---|---|
| author | 0..1 String |
Identity of the person or automation that authored this revision (e |
| parentRevisions | * String |
Revision IDs of the parent revision(s), forming the directed acyclic graph of... |
| repository | 0..1 SourceRepository |
The source repository that contains this revision |
| reviewType | 0..1 ReviewTypeEnum |
The type of human or automated review process used to approve this source rev... |
| revisionId | 1 String |
Immutable identifier for a source revision (e |
| timestamp | 0..1 String |
Timestamp (RFC 3339) of when this source revision was created |
Slots from Statement also in slsa_source_track
| Name | Cardinality and Range | Description |
|---|---|---|
| _type | 1 String |
Always "https://in-toto |
| attestationStorageUri | 0..1 String |
URI indicating where this signed attestation is publicly stored or retrievabl... |
| predicate | 0..1 String |
The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType | 1 String |
URI identifying the schema and semantics of the predicate field |
| signingTool | 0..1 String |
URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry | 0..1 String |
URI of the Rekor transparency log entry recording this attestation or artifac... |
| subject | 1..* ResourceDescriptor |
The set of software artifacts to which a predicate applies |
Slots from VerificationSummaryAttestation also in slsa_source_track
| Name | Cardinality and Range | Description |
|---|---|---|
| _type | 1 String |
Always "https://in-toto |
| attestationStorageUri | 0..1 String |
URI indicating where this signed attestation is publicly stored or retrievabl... |
| dependencyLevels | 0..1 String |
Map from SlsaResult to count of transitive dependencies verified at that leve... |
| inputAttestations | * ResourceDescriptor |
All attestations consulted during verification |
| policy | 1 ResourceDescriptor |
The policy the subject was verified against |
| predicate | 0..1 String |
The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType | 1 String |
URI identifying the schema and semantics of the predicate field |
| resourceUri | 1 String |
URI identifying the resource associated with the artifact being verified |
| signingTool | 0..1 String |
URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry | 0..1 String |
URI of the Rekor transparency log entry recording this attestation or artifac... |
| slsaVersion | 0..1 String |
Version of the SLSA specification used during verification, in MAJOR |
| subject | 1..* ResourceDescriptor |
The set of software artifacts to which a predicate applies |
| timeVerified | 0..1 String |
Timestamp (RFC 3339) indicating when the verification occurred |
| verificationResult | 1 VerificationResultEnum |
Whether the artifact passed or failed policy verification |
| verifiedLevels | 1..* SlsaResultEnum |
The highest verified SLSA level for each applicable track (not including tran... |
| verifier | 1 Verifier |
Identifies the entity that performed the verification |
Slots from Verifier also in slsa_source_track
| Name | Cardinality and Range | Description |
|---|---|---|
| id | 1 String |
A URI uniquely identifying an entity (build platform, verifier, build image, ... |
Slots in subset
| Slot | Description |
|---|---|
| _type | Always "https://in-toto |
| annotations | Arbitrary vendor-specific key-value annotations |
| attestationStorageUri | URI indicating where this signed attestation is publicly stored or retrievabl... |
| author | Identity of the person or automation that authored this revision (e |
| controlsEnforced | Technical controls actively enforced by the Source Control System when this r... |
| dependencyLevels | Map from SlsaResult to count of transitive dependencies verified at that leve... |
| description | Human-readable description of a repository's purpose or a resource |
| digest | Set of cryptographic digests of a resource's content used for integrity verif... |
| gitCommit | Git commit SHA identifying a source-backed artifact |
| id | A URI uniquely identifying an entity (build platform, verifier, build image, ... |
| inputAttestations | All attestations consulted during verification |
| name | A local name for a resource within the context of an attestation, or the name... |
| parentRevisions | Revision IDs of the parent revision(s), forming the directed acyclic graph of... |
| policy | The policy the subject was verified against |
| predicate | The attestation payload — an arbitrary JSON object whose schema is fully dete... |
| predicateType | URI identifying the schema and semantics of the predicate field |
| repository | The source repository that contains this revision |
| resourceUri | URI identifying the resource associated with the artifact being verified |
| reviewType | The type of human or automated review process used to approve this source rev... |
| revision | The source revision that this attestation describes |
| revisionId | Immutable identifier for a source revision (e |
| securityInsightsUri | URI to the SECURITY-INSIGHTS |
| sha256 | Lowercase hex-encoded SHA-256 digest of the artifact |
| sha512 | Lowercase hex-encoded SHA-512 digest of the artifact |
| signingTool | URI or name of the tool used to cryptographically sign the artifact or attest... |
| sigstoreLogEntry | URI of the Rekor transparency log entry recording this attestation or artifac... |
| slsaVersion | Version of the SLSA specification used during verification, in MAJOR |
| sourceLevel | The SLSA Source Level achieved or verified for a source repository or revisio... |
| subject | The set of software artifacts to which a predicate applies |
| timestamp | Timestamp (RFC 3339) of when this source revision was created |
| timeVerified | Timestamp (RFC 3339) indicating when the verification occurred |
| uri | A URI uniquely identifying a resource, such as a package URL (purl), git repo... |
| verificationResult | Whether the artifact passed or failed policy verification |
| verifiedLevels | The highest verified SLSA level for each applicable track (not including tran... |
| verifier | Identifies the entity that performed the verification |
Enumerations in subset
| Enumeration | Description |
|---|---|
| ReviewTypeEnum | Categories of code-review process applied to a source revision |
| SlsaResultEnum | A named SLSA result used in Verification Summary Attestations to indicate the... |
| SourceLevelEnum | SLSA Source Track levels providing increasing trust in source code provenance... |
| VerificationResultEnum | Outcome of a policy verification check on an artifact |