Support in-toto attestations
colek42 opened this issue · 2 comments
colek42 commented
https://slsa.dev/provenance/v0.1 and https://github.com/in-toto/attestation/ describe the format for the in-toto attestation. It seems this model could fit in under a new attribute group.
rjb4standards commented
Thanks Cole. These may be good candidates for the SDLC policy and SDLC evidence URL's in the Vendor Response XML file.
rjb4standards commented
Recommendation: Make SLSA and in-toto evidence data accessible to customers via the SDLCEvidenceDataURL in the Vendor Response XML file, i.e.
SAG:SDLCEvidenceDataURLhttps://softwareassuranceguardian.com/ProductXYZ_SLSA.zip</SAG:SDLCEvidenceDataURL>