From 62ca168c5eaaa2e5be833046b0cb55cb8c35c28b Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Fri, 28 Jul 2023 08:30:32 -0700 Subject: [PATCH] Update docs/_posts/2023-08-07-bring-your-own-builder-github.md Co-authored-by: Philip Harrison Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- docs/_posts/2023-08-07-bring-your-own-builder-github.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/_posts/2023-08-07-bring-your-own-builder-github.md b/docs/_posts/2023-08-07-bring-your-own-builder-github.md index fdc05042d..99d5be539 100644 --- a/docs/_posts/2023-08-07-bring-your-own-builder-github.md +++ b/docs/_posts/2023-08-07-bring-your-own-builder-github.md @@ -89,6 +89,7 @@ $ slsa-verifier verify-artifact "${ARTIFACT}" --provenance-path="${ARTIFACT}.bui ### Verification for your dependencies A Java project contains not only the main application code, but also its dependencies consumed as "packages". We can therefore recursively verify each dependency's provenance. To this end, we're releasing an [experimental Maven plugin](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin resolves all dependencies of a given project and checks if they have provenance attestations along with their releases. When the plugin finds a dependency that has a provenance statement, it verifies it against the dependency. + The plugin automatically performs the verification when configured in the ["pom.xml"](TODO:link to doc). Or it may be run [manually](TODO:link to doc). See our [documentation](https://github.com/slsa-framework/slsa-verifier/tree/main/experimental/maven-plugin). The plugin is still a proof-of-concept, but it demonstrates what's possible with and likely to come from the BYOB Framework. With the framework producing L3 provenance for GitHub Actions users, and the plugin automatically verifying Maven packages, you can build an end-to-end solution for an entire ecosystem.