From c986cb74efbbffe65cf400abd6b4cc1b918dfa1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20REY?= Date: Fri, 24 May 2024 15:59:39 +0200 Subject: [PATCH] docs(getting-started): mention the slsa attestor in getting started MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Provenance being the very first requirement from SLSA, it seems quite appropriate to mention how Witness helps achieve this easily. Signed-off-by: Rémi REY --- docs/tutorials/getting-started.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/tutorials/getting-started.md b/docs/tutorials/getting-started.md index 5537f8fc..0d774f7c 100644 --- a/docs/tutorials/getting-started.md +++ b/docs/tutorials/getting-started.md @@ -47,13 +47,16 @@ verify: >💡 Tip: You can upload the recorded attestations to an [Archivista](https://github.com/in-toto/archivista) server by using the `--enable-archivista` flag! - The `-a {attestor}` flag allows you to define which attestors run - ex. `-a maven -a gcp -a gitlab` would be used for a maven build running on a GitLab runner on GCP. +- Witness has a set of attestors that are always run. You can see them in the output of the `witness attestors list` command. - Defining step names is important, these will be used in the policy. - This should happen as a part of a CI step ``` -witness run --step build -o test-att.json -- go build -o=testapp . +witness run --step build -o test-att.json -a slsa -- go build -o=testapp . ``` +>💡 Tip: The `-a slsa` option allows to generate the [SLSA Provenace](https://slsa.dev/spec/v1.0/provenance) predicate in the attestation. This is a mandatory requirement for SLSA 1 + ### 4. View the attestation data in the signed DSSE Envelope - This data can be stored and retrieved from Archivista