adaptive-enforcement-lab/slsa-provenance-toolchain-integration
plugins/enforce/skills/slsa-provenance-toolchain-integration/SKILL.md
SLSA provenance for Go, Node.js, and Python: binary builds, package publishing, container images, and dependency verification with cryptographic integrity proofs.
tools
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add adaptive-enforcement-lab/claude-skills slsa-provenance-toolchain-integrationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 10:46 AM36.7s5 files scanned
SKILL.md
- name:
- slsa-provenance-toolchain-integration
- description:
- >-
- SLSA provenance for Go, Node.js, and Python:
- binary builds, package publishing, container images, and dependency verification with cryptographic integrity proofs.
SLSA Provenance: Toolchain Integration
When to Use This Skill
Language-specific toolchains have unique SLSA integration points:
- Build artifacts: Binaries, packages, wheels, container images
- Package registries: npm, PyPI, Go modules, GitHub Packages
- Dependency management: go.sum, package-lock.json, poetry.lock
- Build tools: GoReleaser, npm scripts, setuptools, build isolation
Each toolchain guide covers:
- SLSA Level 3 provenance generation patterns
- Multi-platform and cross-compilation workflows
- Package registry integration
- Dependency lockfile verification
- Container image attestation
- Verification workflows
- Common gotchas and troubleshooting
Implementation
See the full implementation guide in the source documentation.
Techniques
Common Integration Patterns
Pattern: Multi-Artifact Provenance
All toolchains support generating provenance for multiple artifacts in a single build:
jobs:
build:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Build artifacts
run: |
# Toolchain-specific build commands
- name: Generate hashes
id: hash
run: |
sha256sum artifacts/* | base64 -w0 > hashes.txt
echo "hashes=$(cat hashes.txt)" >> "$GITHUB_OUTPUT"
provenance:
needs: [build]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
This pattern works for:
- Go: Multiple binaries, multi-platform builds
- Node.js: Multiple npm packages, container images
- Python: Multiple wheels, source distributions
Pattern: Container Image Provenance
All toolchains support container image attestation:
jobs:
build-image:
outputs:
digest: ${{ steps.build.outputs.digest }}
steps:
- name: Build container image
id: build
run: |
# Toolchain-specific container build
podman build -t myapp:latest .
DIGEST=$(podman inspect myapp:latest --format='{{.Id}}')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
provenance:
needs: [build-image]
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ghcr.io/org/myapp
digest: "${{ needs.build-image.outputs.digest }}"
See toolchain-specific guides for:
- Go: Distroless base images (go-advanced.md)
- Node.js: Multi-stage builds (node-advanced.md)
- Python: Python slim images (python-integration.md)
Pattern: Dependency Lockfile Verification
All toolchains support dependency verification:
=== "Go"
```yaml
- name: Verify Go modules
run: |
go mod verify
go mod download -json | jq -r '.Error' | grep -q '^null$'
```
=== "Node.js"
```yaml
- name: Verify npm dependencies
run: |
npm ci --audit
npm audit signatures
```
=== "Python"
```yaml
- name: Verify Python dependencies
run: |
pip install --require-hashes -r requirements.txt
pip check
```
See reference.md for additional techniques and detailed examples.
Examples
See examples.md for code examples.
Full Reference
See reference.md for complete documentation.
Related Patterns
- SLSA Implementation Playbook
- SLSA Levels Explained
- Verification Workflows
- Runner Configuration
- Adoption Roadmap
References
- Source Documentation
- AEL Enforce
Related Skills
adaptive-enforcement-lab/workload-identity-federation-implementation
documentation
VerifiedTrustedCommunity
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/workflow-trigger-security
development
VerifiedTrustedCommunity
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/third-party-action-risk-assessment
development
VerifiedTrustedCommunity
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/storing-credentials
testing
VerifiedTrustedCommunity
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
SKILL.mdUpdated Mar 27, 2026