From 1e7f964f3132d167902f08e72741d0024f6588b5 Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Wed, 18 Jun 2025 10:28:07 +1200 Subject: [PATCH 01/13] Add SLSA Provenance documentation. --- doc/ci/slsa/provenance.md | 124 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 doc/ci/slsa/provenance.md diff --git a/doc/ci/slsa/provenance.md b/doc/ci/slsa/provenance.md new file mode 100644 index 00000000000000..f7278323adcfeb --- /dev/null +++ b/doc/ci/slsa/provenance.md @@ -0,0 +1,124 @@ +--- +stage: Software Supply Chain Security +group: Pipeline Security +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: SLSA Provenance Specification +--- + +{{< details >}} + +Status: Experiment + +{{< /details >}} + +{{< alert type="flag" >}} + +The availability of this feature is controlled by a feature flag. +For more information, see the history. +This feature is available for testing, but not ready for production use. + +{{< /alert >}} + +This feature is an [experiment](/policy/development_stages_support.md). To join the list +of users testing this feature, do this thing. If you find a bug, open an issue. + +## Build Definition + +This is an official [SLSA Provenance](https://slsa.dev/provenance/v1) +`buildType` that describes the execution of a GitLab [CI/CD job](/ci/jobs/index.md). + +This definition is hosted and maintained by GitLab. When enabled with the +`RUNNER_GENERATE_ARTIFACTS_METADATA` CI/CD variable, the runner produces [SLSA provenance v1.0](https://slsa.dev/spec/v1.0/provenance) statements. + +## Description + +This `buildType` describes the execution of a workflow that builds a software +artifact. + +> [!note] +> Consumers should ignore unrecognized external parameters. Any changes must +> not change the semantics of existing external parameters. + +### External parameters + +External parameters are defined below: + +| Field | Value | +|----------------------|-------| +| `source` | The URL of the project. | +| `entryPoint` | The name of the CI/CD job that triggered the build. | +| `variables` | The names and valuesof any CI/CD or environment variables available during the build command execution. If the variable is [masked or hidden](/ci/variables/_index.md) the value of the variable will be set to `[MASKED]`. | + +### Internal parameters + +The following internal parameters are populated by default: + +| `name` | The name of the runner. | +| `executor` | The runner executor. | +| `architecture` | The architecture on which the CI/CD job is run. | +| `job` | The ID of the CI/CD job that triggered the build. | + +### Example + +The following code contains an example provenance statement: + +```json +{ + "_type": "https://in-toto.io/Statement/v1", + "subject": [ + { + "name": "artifacts.zip", + "digest": { + "sha256": "717a1ee89f0a2829cf5aad57054c83615675b04baa913bdc19999d7519edf3f2" + } + } + ], + "predicateType": "https://slsa.dev/provenance/v1", + "predicate": { + "buildDefinition": { + "buildType": "", + "externalParameters": { + "source": "http://gdk.test:3000/root/repo_name", + "entryPoint": "build-job", + "variables": { + "CI_PIPELINE_ID": "576", + "CI_PIPELINE_URL": "http://gdk.test:3000/root/repo_name/-/pipelines/576", + "CI_JOB_ID": "412", +[... additional environment variables ...] + "masked_and_hidden_variable": "[MASKED]", + "masked_variable": "[MASKED]", + "visible_variable": "visible_variable", + } + }, + "internalParameters": { + "architecture": "arm64", + "executor": "docker", + "job": 412, + "name": "9-mfdkBG" + }, + "resolvedDependencies": [ + { + "uri": "http://gdk.test:3000/root/repo_name", + "digest": { + "gitCommit": "a288201509dd9a85da4141e07522bad412938dbe" + } + } + ] + }, + "runDetails": { + "builder": { + "id": "http://gdk.test:3000/groups/user/-/runners/33", + "version": { + "gitlab-runner": "4d7093e1" + } + }, + "metadata": { + "invocationId": 412, + "startedOn": "2025-06-05T01:33:18Z", + "finishedOn": "2025-06-05T01:33:23Z" + } + } + } +} + +``` -- GitLab From 39532e0e26924ed9ad9ecfcf9c73092f7cb1621f Mon Sep 17 00:00:00 2001 From: Sam Roque-Worcel Date: Sun, 22 Jun 2025 21:28:19 +0000 Subject: [PATCH 02/13] Apply 2 suggestion(s) to 1 file(s) Co-authored-by: Fabien Catteau --- doc/ci/slsa/provenance.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/ci/slsa/provenance.md b/doc/ci/slsa/provenance.md index f7278323adcfeb..65a4f1a55b424c 100644 --- a/doc/ci/slsa/provenance.md +++ b/doc/ci/slsa/provenance.md @@ -27,8 +27,7 @@ of users testing this feature, do this thing. If you find a bug, open an issue. This is an official [SLSA Provenance](https://slsa.dev/provenance/v1) `buildType` that describes the execution of a GitLab [CI/CD job](/ci/jobs/index.md). -This definition is hosted and maintained by GitLab. When enabled with the -`RUNNER_GENERATE_ARTIFACTS_METADATA` CI/CD variable, the runner produces [SLSA provenance v1.0](https://slsa.dev/spec/v1.0/provenance) statements. +This definition is hosted and maintained by GitLab. ## Description @@ -53,6 +52,8 @@ External parameters are defined below: The following internal parameters are populated by default: +| Field | Value | +|----------------------|-------| | `name` | The name of the runner. | | `executor` | The runner executor. | | `architecture` | The architecture on which the CI/CD job is run. | -- GitLab From ba009d861d2f84ea4445a48a3021cd5f3e870ebe Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Mon, 23 Jun 2025 09:56:34 +1200 Subject: [PATCH 03/13] Added introduction, change page location --- doc/ci/{slsa/provenance.md => jobs/slsa_provenance.md} | 5 +++++ 1 file changed, 5 insertions(+) rename doc/ci/{slsa/provenance.md => jobs/slsa_provenance.md} (89%) diff --git a/doc/ci/slsa/provenance.md b/doc/ci/jobs/slsa_provenance.md similarity index 89% rename from doc/ci/slsa/provenance.md rename to doc/ci/jobs/slsa_provenance.md index 65a4f1a55b424c..1215b94938babd 100644 --- a/doc/ci/slsa/provenance.md +++ b/doc/ci/jobs/slsa_provenance.md @@ -22,6 +22,11 @@ This feature is available for testing, but not ready for production use. This feature is an [experiment](/policy/development_stages_support.md). To join the list of users testing this feature, do this thing. If you find a bug, open an issue. +This page contains the build type template as required by [the SLSA specification](https://slsa.dev/spec/v1.1/provenance). It is documented here +as a reference for consumers of GitLab SLSA attestations to assist +in parsing specific fields that are unique to our provenance statements. More +information on this document can be found in SLSA's [buildType documentation](https://slsa.dev/spec/v1.1/provenance#builddefinition). + ## Build Definition This is an official [SLSA Provenance](https://slsa.dev/provenance/v1) -- GitLab From fe1c282ff80c49312f40610c4b15c454f713b92a Mon Sep 17 00:00:00 2001 From: Sam Roque-Worcel Date: Mon, 23 Jun 2025 21:25:25 +0000 Subject: [PATCH 04/13] Apply 9 suggestion(s) to 1 file(s) Co-authored-by: Marcel Amirault --- doc/ci/jobs/slsa_provenance.md | 73 +++++++++++++++++----------------- 1 file changed, 37 insertions(+), 36 deletions(-) diff --git a/doc/ci/jobs/slsa_provenance.md b/doc/ci/jobs/slsa_provenance.md index 1215b94938babd..dde62fb3b3c368 100644 --- a/doc/ci/jobs/slsa_provenance.md +++ b/doc/ci/jobs/slsa_provenance.md @@ -2,71 +2,73 @@ stage: Software Supply Chain Security group: Pipeline Security info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments -title: SLSA Provenance Specification +title: SLSA provenance specification --- {{< details >}} -Status: Experiment +- Tier: Free, Premium, Ultimate +- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated +- Status: Experiment {{< /details >}} -{{< alert type="flag" >}} +{{< history >}} -The availability of this feature is controlled by a feature flag. -For more information, see the history. -This feature is available for testing, but not ready for production use. +- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/546150) in GitLab 18.2. -{{< /alert >}} +{{< /history >}} -This feature is an [experiment](/policy/development_stages_support.md). To join the list -of users testing this feature, do this thing. If you find a bug, open an issue. +The [SLSA provenance specification](https://slsa.dev/spec/v1.1/provenance) requires +the `buildType` reference to be documented and published. This reference is to assist consumers of +GitLab SLSA attestations with parsing specific fields that are unique to GitLab SLSA provenance statements. -This page contains the build type template as required by [the SLSA specification](https://slsa.dev/spec/v1.1/provenance). It is documented here -as a reference for consumers of GitLab SLSA attestations to assist -in parsing specific fields that are unique to our provenance statements. More -information on this document can be found in SLSA's [buildType documentation](https://slsa.dev/spec/v1.1/provenance#builddefinition). +See the SLSA [`buildType` documentation](https://slsa.dev/spec/v1.1/provenance#builddefinition) +for more details. -## Build Definition +## `buildType` -This is an official [SLSA Provenance](https://slsa.dev/provenance/v1) -`buildType` that describes the execution of a GitLab [CI/CD job](/ci/jobs/index.md). +This official [SLSA Provenance](https://slsa.dev/spec/v1.1/provenance) `buildType` reference: -This definition is hosted and maintained by GitLab. +- Describes the execution of a GitLab [CI/CD job](_index.md). +- Is hosted and maintained by GitLab. -## Description +### Description This `buildType` describes the execution of a workflow that builds a software artifact. -> [!note] -> Consumers should ignore unrecognized external parameters. Any changes must -> not change the semantics of existing external parameters. +{{< alert type="note" >}} + +Consumers should ignore unrecognized external parameters. Any changes must +not change the semantics of existing external parameters. + +{{< /alert >}} ### External parameters -External parameters are defined below: +The external parameters: -| Field | Value | -|----------------------|-------| -| `source` | The URL of the project. | -| `entryPoint` | The name of the CI/CD job that triggered the build. | -| `variables` | The names and valuesof any CI/CD or environment variables available during the build command execution. If the variable is [masked or hidden](/ci/variables/_index.md) the value of the variable will be set to `[MASKED]`. | +| Field | Value | +|--------------|-------| +| `source` | The URL of the project. | +| `entryPoint` | The name of the CI/CD job that triggered the build. | +| `variables` | The names and values of any CI/CD or environment variables available during the build command execution. If the variable is [masked or hidden](../variables/_index.md) the value of the variable is set to `[MASKED]`. | ### Internal parameters -The following internal parameters are populated by default: +The internal parameters, which are populated by default: -| Field | Value | -|----------------------|-------| -| `name` | The name of the runner. | -| `executor` | The runner executor. | -| `architecture` | The architecture on which the CI/CD job is run. | -| `job` | The ID of the CI/CD job that triggered the build. | +| Field | Value | +|----------------|-------| +| `name` | The name of the runner. | +| `executor` | The runner executor. | +| `architecture` | The architecture on which the CI/CD job is run. | +| `job` | The ID of the CI/CD job that triggered the build. | ### Example -The following code contains an example provenance statement: +This example shows the format of a GitLab-generated provenance statement: ```json { @@ -126,5 +128,4 @@ The following code contains an example provenance statement: } } } - ``` -- GitLab From 984a977d74c79ddf3dc2f8f766cb9a0e435ce773 Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Tue, 24 Jun 2025 09:48:04 +1200 Subject: [PATCH 05/13] Add flag information, updated release number --- doc/ci/jobs/slsa_provenance.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/ci/jobs/slsa_provenance.md b/doc/ci/jobs/slsa_provenance.md index dde62fb3b3c368..9e58f47b80c48f 100644 --- a/doc/ci/jobs/slsa_provenance.md +++ b/doc/ci/jobs/slsa_provenance.md @@ -15,10 +15,18 @@ title: SLSA provenance specification {{< history >}} -- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/546150) in GitLab 18.2. +- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/547865) in GitLab 18.3. {{< /history >}} +{{< alert type="flag" >}} + +The availability of this feature is controlled by a feature flag. +For more information, see the history. +This feature is available for testing, but not ready for production use. + +{{< /alert >}} + The [SLSA provenance specification](https://slsa.dev/spec/v1.1/provenance) requires the `buildType` reference to be documented and published. This reference is to assist consumers of GitLab SLSA attestations with parsing specific fields that are unique to GitLab SLSA provenance statements. -- GitLab From aea14b1570e7577ce7a46256e6c19224f4ac48f3 Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Tue, 24 Jun 2025 09:53:17 +1200 Subject: [PATCH 06/13] Update buildType URL --- app/models/ci/slsa/provenance_statement.rb | 3 +-- spec/models/ci/slsa/provenance_statement_spec.rb | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/app/models/ci/slsa/provenance_statement.rb b/app/models/ci/slsa/provenance_statement.rb index 90c8abf81e6f2a..130417b915f940 100644 --- a/app/models/ci/slsa/provenance_statement.rb +++ b/app/models/ci/slsa/provenance_statement.rb @@ -50,8 +50,7 @@ class BuildDefinition attr_accessor :build_type, :external_parameters, :internal_parameters, :resolved_dependencies def self.from_build(build) - # TODO: update buildType as part of https://gitlab.com/gitlab-org/gitlab/-/issues/426764 - build_type = "https://gitlab.com/gitlab-org/gitlab/-/issues/546150" + build_type = "https://gitlab.com/gitlab-org/slsa_provenance/v1/README.md" external_parameters = { variables: build.variables.map(&:key) } internal_parameters = { architecture: build.runner_manager.architecture, diff --git a/spec/models/ci/slsa/provenance_statement_spec.rb b/spec/models/ci/slsa/provenance_statement_spec.rb index 29b0d6572b67a8..12e5bff2049f24 100644 --- a/spec/models/ci/slsa/provenance_statement_spec.rb +++ b/spec/models/ci/slsa/provenance_statement_spec.rb @@ -105,8 +105,7 @@ it 'has the correct predicate build definition' do build_definition = parsed['predicate']['buildDefinition'] - # TODO: update buildType as part of https://gitlab.com/gitlab-org/gitlab/-/issues/426764 - expect(build_definition['buildType']).to eq('https://gitlab.com/gitlab-org/gitlab/-/issues/546150') + expect(build_definition['buildType']).to eq('https://gitlab.com/gitlab-org/slsa_provenance/v1/README.md') expect(build_definition['externalParameters']['variables']).to include("GITLAB_CI") expect(build_definition['internalParameters']['name']).to start_with("My runner") -- GitLab From 83273b560e16c6979447ff57d2f2de95808bb889 Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Wed, 25 Jun 2025 10:36:17 +1200 Subject: [PATCH 07/13] Update with flag name --- doc/ci/jobs/slsa_provenance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ci/jobs/slsa_provenance.md b/doc/ci/jobs/slsa_provenance.md index 9e58f47b80c48f..6d352511b5b9b7 100644 --- a/doc/ci/jobs/slsa_provenance.md +++ b/doc/ci/jobs/slsa_provenance.md @@ -15,7 +15,7 @@ title: SLSA provenance specification {{< history >}} -- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/547865) in GitLab 18.3. +- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/547865) in GitLab 18.3 [with a flag](../../administration/feature_flags/_index.md) named `slsa_provenance_statement`. Disabled by default. {{< /history >}} -- GitLab From 019c1a8401c059e58cd358399454fbbd79632bdc Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Wed, 25 Jun 2025 10:51:53 +1200 Subject: [PATCH 08/13] Move provenance buildType documentation --- doc/ci/pipeline_security/slsa/_index.md | 14 ++++++++++++++ .../slsa/provenance_v1.md} | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 doc/ci/pipeline_security/slsa/_index.md rename doc/ci/{jobs/slsa_provenance.md => pipeline_security/slsa/provenance_v1.md} (94%) diff --git a/doc/ci/pipeline_security/slsa/_index.md b/doc/ci/pipeline_security/slsa/_index.md new file mode 100644 index 00000000000000..f8ee37bac55377 --- /dev/null +++ b/doc/ci/pipeline_security/slsa/_index.md @@ -0,0 +1,14 @@ +--- +stage: Software Supply Chain Security +group: Pipeline Security +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +title: GitLab SLSA +--- + +This section contains information pertaining to GitLab SLSA support + +{{< cards >}} + +- [Provenance version 1 buildType specification](provenance_v1.md) + +{{< /cards >}} diff --git a/doc/ci/jobs/slsa_provenance.md b/doc/ci/pipeline_security/slsa/provenance_v1.md similarity index 94% rename from doc/ci/jobs/slsa_provenance.md rename to doc/ci/pipeline_security/slsa/provenance_v1.md index 6d352511b5b9b7..ae9da0fdf5056d 100644 --- a/doc/ci/jobs/slsa_provenance.md +++ b/doc/ci/pipeline_security/slsa/provenance_v1.md @@ -15,7 +15,7 @@ title: SLSA provenance specification {{< history >}} -- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/547865) in GitLab 18.3 [with a flag](../../administration/feature_flags/_index.md) named `slsa_provenance_statement`. Disabled by default. +- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/547865) in GitLab 18.3 [with a flag](../../../administration/feature_flags/_index.md) named `slsa_provenance_statement`. Disabled by default. {{< /history >}} @@ -61,7 +61,7 @@ The external parameters: |--------------|-------| | `source` | The URL of the project. | | `entryPoint` | The name of the CI/CD job that triggered the build. | -| `variables` | The names and values of any CI/CD or environment variables available during the build command execution. If the variable is [masked or hidden](../variables/_index.md) the value of the variable is set to `[MASKED]`. | +| `variables` | The names and values of any CI/CD or environment variables available during the build command execution. If the variable is [masked or hidden](../../variables/_index.md) the value of the variable is set to `[MASKED]`. | ### Internal parameters -- GitLab From 7147c5e9b341fb27a5266fd81908b6cbc8fb0639 Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Wed, 25 Jun 2025 10:57:37 +1200 Subject: [PATCH 09/13] Add new buildType --- app/models/ci/slsa/provenance_statement.rb | 2 +- spec/models/ci/slsa/provenance_statement_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/models/ci/slsa/provenance_statement.rb b/app/models/ci/slsa/provenance_statement.rb index 130417b915f940..5846c93566414f 100644 --- a/app/models/ci/slsa/provenance_statement.rb +++ b/app/models/ci/slsa/provenance_statement.rb @@ -50,7 +50,7 @@ class BuildDefinition attr_accessor :build_type, :external_parameters, :internal_parameters, :resolved_dependencies def self.from_build(build) - build_type = "https://gitlab.com/gitlab-org/slsa_provenance/v1/README.md" + build_type = "https://docs.gitlab.com/ci/pipeline_security/slsa/provenance_v1" external_parameters = { variables: build.variables.map(&:key) } internal_parameters = { architecture: build.runner_manager.architecture, diff --git a/spec/models/ci/slsa/provenance_statement_spec.rb b/spec/models/ci/slsa/provenance_statement_spec.rb index 12e5bff2049f24..0d03eea64ffcf5 100644 --- a/spec/models/ci/slsa/provenance_statement_spec.rb +++ b/spec/models/ci/slsa/provenance_statement_spec.rb @@ -105,7 +105,7 @@ it 'has the correct predicate build definition' do build_definition = parsed['predicate']['buildDefinition'] - expect(build_definition['buildType']).to eq('https://gitlab.com/gitlab-org/slsa_provenance/v1/README.md') + expect(build_definition['buildType']).to eq('https://docs.gitlab.com/ci/pipeline_security/slsa/provenance_v1') expect(build_definition['externalParameters']['variables']).to include("GITLAB_CI") expect(build_definition['internalParameters']['name']).to start_with("My runner") -- GitLab From 29eaea6faecebfd525a17004e17643c95b7977eb Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Mon, 30 Jun 2025 09:51:27 +1200 Subject: [PATCH 10/13] Move section to new page --- doc/ci/pipeline_security/_index.md | 17 ----------------- doc/ci/pipeline_security/slsa/_index.md | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/doc/ci/pipeline_security/_index.md b/doc/ci/pipeline_security/_index.md index 6878da93857d2b..200bfa04f76fce 100644 --- a/doc/ci/pipeline_security/_index.md +++ b/doc/ci/pipeline_security/_index.md @@ -201,23 +201,6 @@ include: - local: '/ci/security-scan.yml' # Verified and stored in the repository ``` -### SLSA provenance generation - -GitLab offers a SLSA Level 1 compliant provenance statement that can be -[automatically generated for all build artifacts produced by the GitLab Runner](../runners/configure_runners.md#artifact-provenance-metadata). -This provenance statement is produced by the runner itself. - -#### Sign and verify SLSA provenance with a CI/CD Component - -The [GitLab SLSA CI/CD component](https://gitlab.com/explore/catalog/components/slsa) -provides configurations for: - -- Signing runner-generated provenance statements. -- Generating [Verification Summary Attestations (VSA)](https://slsa.dev/spec/v1.0/verification_summary) - for job artifacts. - -For more information and example configurations, see the [SLSA Component documentation](https://gitlab.com/components/slsa#slsa-supply-chain-levels-for-software-artifacts). - ### Related topics 1. [CIS Docker Benchmarks](https://www.cisecurity.org/benchmark/docker) diff --git a/doc/ci/pipeline_security/slsa/_index.md b/doc/ci/pipeline_security/slsa/_index.md index f8ee37bac55377..af2454e66da886 100644 --- a/doc/ci/pipeline_security/slsa/_index.md +++ b/doc/ci/pipeline_security/slsa/_index.md @@ -12,3 +12,20 @@ This section contains information pertaining to GitLab SLSA support - [Provenance version 1 buildType specification](provenance_v1.md) {{< /cards >}} + +### SLSA provenance generation + +GitLab offers a SLSA Level 1 compliant provenance statement that can be +[automatically generated for all build artifacts produced by the GitLab Runner](../../runners/configure_runners.md#artifact-provenance-metadata). +This provenance statement is produced by the runner itself. + +#### Sign and verify SLSA provenance with a CI/CD Component + +The [GitLab SLSA CI/CD component](https://gitlab.com/explore/catalog/components/slsa) +provides configurations for: + +- Signing runner-generated provenance statements. +- Generating [Verification Summary Attestations (VSA)](https://slsa.dev/spec/v1.0/verification_summary) + for job artifacts. + +For more information and example configurations, see the [SLSA Component documentation](https://gitlab.com/components/slsa#slsa-supply-chain-levels-for-software-artifacts). -- GitLab From aca49bdbc2d8f2d3ac78436e8c32c6cb9bf89e1f Mon Sep 17 00:00:00 2001 From: Sam Roque-Worcel Date: Wed, 2 Jul 2025 19:07:50 +0000 Subject: [PATCH 11/13] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Marcel Amirault --- doc/ci/pipeline_security/slsa/_index.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/doc/ci/pipeline_security/slsa/_index.md b/doc/ci/pipeline_security/slsa/_index.md index af2454e66da886..0985abbed245e8 100644 --- a/doc/ci/pipeline_security/slsa/_index.md +++ b/doc/ci/pipeline_security/slsa/_index.md @@ -5,14 +5,12 @@ info: To determine the technical writer assigned to the Stage/Group associated w title: GitLab SLSA --- -This section contains information pertaining to GitLab SLSA support +This page contains information pertaining to GitLab SLSA support. -{{< cards >}} +Related topics: - [Provenance version 1 buildType specification](provenance_v1.md) -{{< /cards >}} - ### SLSA provenance generation GitLab offers a SLSA Level 1 compliant provenance statement that can be -- GitLab From a810ac55717ebdfd8a5aac15e5becd04cb0e5cb7 Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Mon, 21 Jul 2025 10:42:17 +1200 Subject: [PATCH 12/13] Add slsa_provenance_statement FF --- .../gitlab_com_derisk/slsa_provenance_statement.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 ee/config/feature_flags/gitlab_com_derisk/slsa_provenance_statement.yml diff --git a/ee/config/feature_flags/gitlab_com_derisk/slsa_provenance_statement.yml b/ee/config/feature_flags/gitlab_com_derisk/slsa_provenance_statement.yml new file mode 100644 index 00000000000000..2625dabede93e6 --- /dev/null +++ b/ee/config/feature_flags/gitlab_com_derisk/slsa_provenance_statement.yml @@ -0,0 +1,10 @@ +--- +name: slsa_provenance_statement +description: Roll out feature flag to publish SLSA provenance statements +feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/547865 +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198167 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/547866 +milestone: '18.3' +group: group::pipeline security +type: gitlab_com_derisk +default_enabled: false -- GitLab From 021343898eb493b6b6662b3cbdd6a8f325cd6740 Mon Sep 17 00:00:00 2001 From: Sam Joan Roque-Worcel Date: Mon, 21 Jul 2025 12:24:10 +1200 Subject: [PATCH 13/13] Call PublishStatementWorker when build finished --- ee/app/workers/ee/ci/build_finished_worker.rb | 6 +++ .../ee/ci/build_finished_worker_spec.rb | 41 +++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/ee/app/workers/ee/ci/build_finished_worker.rb b/ee/app/workers/ee/ci/build_finished_worker.rb index 97b71e1a0021e5..189d200322cc78 100644 --- a/ee/app/workers/ee/ci/build_finished_worker.rb +++ b/ee/app/workers/ee/ci/build_finished_worker.rb @@ -21,6 +21,8 @@ def process_build(build) # Use upsert since this code can be called more than once for the same build ::Ci::FinishedBuildChSyncEvent.upsert_from_build(build) if finished_build_sync_event?(build) + + ::Ci::Slsa::PublishStatementWorker.perform_async(build.id) if should_perform_attestation?(build) end private @@ -38,6 +40,10 @@ def requirements_available?(build) def finished_build_sync_event?(build) build.is_a?(::Ci::Build) && build.finished_at.present? end + + def should_perform_attestation?(build) + ::Feature.enabled?(:slsa_provenance_statement, build.project) && build.artifacts? + end end end end diff --git a/ee/spec/workers/ee/ci/build_finished_worker_spec.rb b/ee/spec/workers/ee/ci/build_finished_worker_spec.rb index 00a14b2baec14f..8f999dd5866028 100644 --- a/ee/spec/workers/ee/ci/build_finished_worker_spec.rb +++ b/ee/spec/workers/ee/ci/build_finished_worker_spec.rb @@ -197,5 +197,46 @@ def project_stats expect { perform }.not_to change { Ci::FinishedBuildChSyncEvent.count } end end + + it 'does not call PublishStatementWorker when build does not have artifacts' do + expect(::Ci::Slsa::PublishStatementWorker).not_to receive(:perform_async).with(build.id) + + perform + end + + context 'when artifacts exist' do + let_it_be(:status) { :success } + let_it_be(:build) do + create(:ee_ci_build, :artifacts, :sast, status, runner: ci_runner, finished_at: 1.hour.ago) + end + + it 'calls PublishStatementWorker when build is successful' do + expect(::Ci::Slsa::PublishStatementWorker).to receive(:perform_async).with(build.id) + + perform + end + + context 'when the build fails' do + let_it_be(:status) { :failed } + + it 'still calls PublishStatementWorker' do + expect(::Ci::Slsa::PublishStatementWorker).to receive(:perform_async).with(build.id) + + perform + end + end + + context 'and flag is disabled' do + before do + stub_feature_flags(slsa_provenance_statement: false) + end + + it 'does not call PublishStatementWorker' do + expect(::Ci::Slsa::PublishStatementWorker).not_to receive(:perform_async).with(build.id) + + perform + end + end + end end end -- GitLab