Example nodejs project to demonstrate SLSA L3 for npm packages.
Provenance is generated by the build_and_publish workflow, which in turn uses slsa-github-generator
- slsa-verifier
- curl
- jq
- npm
Provenance can be veified with slsa-verifier using the following commands
First, download attestations and the npm package
curl -Sso attestations.json $(npm view one-is-a-number@1.0.1 --json | jq -r '.dist.attestations.url') \
&& curl -Sso one-is-a-number.tgz "$(npm view one-is-a-number@1.0.1 --json | jq -r '.dist.tarball')"After downloading, verify the package with
SLSA_VERIFIER_EXPERIMENTAL=1 slsa-verifier verify-npm-package one-is-a-number.tgz \
--attestations-path attestations.json \
--builder-id "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml" \
--package-name "one-is-a-number" \
--package-version 1.0.1 \
--source-uri github.com/backjonas/slsa-node-example