{"id":814,"date":"2026-03-25T09:55:05","date_gmt":"2026-03-25T08:55:05","guid":{"rendered":"https:\/\/secure-pipelines.com\/uncategorized\/lab-generating-verifying-slsa-provenance-container-images\/"},"modified":"2026-03-25T09:55:05","modified_gmt":"2026-03-25T08:55:05","slug":"lab-generating-verifying-slsa-provenance-container-images","status":"publish","type":"post","link":"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-generating-verifying-slsa-provenance-container-images\/","title":{"rendered":"\u0645\u062e\u062a\u0628\u0631 \u0639\u0645\u0644\u064a: \u0625\u0646\u0634\u0627\u0621 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0634\u0647\u0627\u062f\u0627\u062a SLSA Provenance \u0644\u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a"},"content":{"rendered":"<h2>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629<\/h2>\n<p>SLSA (Supply-chain Levels for Software Artifacts) provenance \u0647\u0648 \u0633\u062c\u0644 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u062d\u0642\u0642 \u064a\u0635\u0641 <em>\u0643\u064a\u0641\u064a\u0629<\/em> \u0628\u0646\u0627\u0621 artifact: \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0645\u0635\u062f\u0631\u060c \u0648\u0645\u0646\u0635\u0629 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0648\u0646\u0642\u0637\u0629 \u0627\u0644\u062f\u062e\u0648\u0644\u060c \u0648\u0627\u0644\u0645\u0648\u0627\u062f \u0627\u0644\u0645\u062f\u062e\u0644\u0629. \u0639\u0646\u062f \u0625\u0631\u0641\u0627\u0642\u0647 \u0628\u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629\u060c \u064a\u062a\u064a\u062d provenance \u0644\u0644\u0645\u0633\u062a\u0647\u0644\u0643\u064a\u0646 \u0627\u0644\u0625\u062c\u0627\u0628\u0629 \u0639\u0644\u0649 \u0633\u0624\u0627\u0644 \u0628\u0627\u0644\u063a \u0627\u0644\u0623\u0647\u0645\u064a\u0629 \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631: <strong>&#8220;\u0647\u0644 \u062a\u0645 \u0628\u0646\u0627\u0621 \u0647\u0630\u0647 \u0627\u0644\u0635\u0648\u0631\u0629 \u0641\u0639\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0630\u064a \u0623\u062a\u0648\u0642\u0639\u0647\u060c \u0639\u0644\u0649 \u0645\u0646\u0635\u0629 \u0623\u062b\u0642 \u0628\u0647\u0627\u061f&#8221;<\/strong><\/p>\n<p>\u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0639\u0645\u0644\u064a \u0633\u062a\u0642\u0648\u0645 \u0628\u0640:<\/p>\n<ul>\n<li>\u0628\u0646\u0627\u0621 \u0648\u062f\u0641\u0639 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u0625\u0644\u0649 GitHub Container Registry (GHCR).<\/li>\n<li>\u0625\u0646\u0634\u0627\u0621 <strong>SLSA Level 3<\/strong> provenance \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 workflow \u0627\u0644\u0642\u0627\u0628\u0644 \u0644\u0625\u0639\u0627\u062f\u0629 \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0631\u0633\u0645\u064a <code>slsa-github-generator<\/code>.<\/li>\n<li>\u0625\u0646\u0634\u0627\u0621 provenance \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 <strong>artifact attestations<\/strong> \u0627\u0644\u0623\u0635\u0644\u064a\u0629 \u0645\u0646 GitHub (<code>actions\/attest-build-provenance<\/code>).<\/li>\n<li>\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 provenance \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 <code>slsa-verifier<\/code> \u0648 <code>cosign<\/code> \u0648 <code>gh attestation verify<\/code>.<\/li>\n<li>\u0641\u0631\u0636 provenance \u0639\u0646\u062f \u0648\u0642\u062a \u0627\u0644\u0646\u0634\u0631 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0633\u064a\u0627\u0633\u0629 \u0642\u0628\u0648\u0644 Kubernetes.<\/li>\n<\/ul>\n<p>\u0628\u0646\u0647\u0627\u064a\u0629 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0633\u062a\u0645\u062a\u0644\u0643 pipeline \u0643\u0627\u0645\u0644\u0627\u064b \u0648\u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u0643\u0631\u0627\u0631 \u064a\u062b\u0628\u062a \u0633\u0644\u0627\u0645\u0629 \u0643\u0644 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u062a\u0642\u0648\u0645 \u0628\u0634\u062d\u0646\u0647\u0627.<\/p>\n<h2>\u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h2>\n<p>\u0642\u0628\u0644 \u0627\u0644\u0628\u062f\u0621\u060c \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0648\u0641\u0631 \u0645\u0627 \u064a\u0644\u064a:<\/p>\n<ul>\n<li><strong>\u062d\u0633\u0627\u0628 GitHub<\/strong> \u0645\u0639 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u062e\u062a\u0628\u0627\u0631\u064a (\u0639\u0627\u0645 \u0623\u0648 \u062e\u0627\u0635 \u0645\u0639 GitHub Pro\/Team\/Enterprise).<\/li>\n<li><strong>\u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 GHCR<\/strong> &mdash; \u064a\u0645\u0643\u0646 \u0644\u062d\u0633\u0627\u0628\u0643 \u0639\u0644\u0649 GitHub \u0627\u0644\u062f\u0641\u0639 \u0625\u0644\u0649 <code>ghcr.io<\/code> \u0628\u0634\u0643\u0644 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u061b \u062a\u0623\u0643\u062f \u0645\u0646 \u0630\u0644\u0643 \u0628\u0627\u0644\u0627\u0646\u062a\u0642\u0627\u0644 \u0625\u0644\u0649 <em>Settings &rarr; Packages<\/em>.<\/li>\n<li><strong>Cosign CLI<\/strong> \u0645\u062b\u0628\u0651\u062a \u0645\u062d\u0644\u064a\u0627\u064b:\n<pre><code># macOS\nbrew install cosign\n\n# Linux \/ other\ngo install github.com\/sigstore\/cosign\/v2\/cmd\/cosign@latest<\/code><\/pre>\n<\/li>\n<li><strong>slsa-verifier CLI<\/strong> \u0645\u062b\u0628\u0651\u062a:\n<pre><code>go install github.com\/slsa-framework\/slsa-verifier\/v2\/cli\/slsa-verifier@latest<\/code><\/pre>\n<\/li>\n<li><strong>GitHub CLI<\/strong> (<code>gh<\/code>) \u0627\u0644\u0625\u0635\u062f\u0627\u0631 2.49 \u0623\u0648 \u0623\u062d\u062f\u062b (\u0644\u0623\u0648\u0627\u0645\u0631 <code>gh attestation<\/code>).<\/li>\n<li><strong>Docker<\/strong> \u0645\u062b\u0628\u0651\u062a \u0648\u0642\u064a\u062f \u0627\u0644\u062a\u0634\u063a\u064a\u0644.<\/li>\n<li><strong>kubectl<\/strong> \u0645\u0639 \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 cluster \u0627\u062e\u062a\u0628\u0627\u0631\u064a \u0644\u0640 Kubernetes (\u0644\u062a\u0645\u0631\u064a\u0646 \u0627\u0644\u0641\u0631\u0636).<\/li>\n<\/ul>\n<h2>\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629<\/h2>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1 &mdash; \u0625\u0646\u0634\u0627\u0621 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631<\/h3>\n<p>\u0623\u0646\u0634\u0626 \u0645\u0633\u062a\u0648\u062f\u0639 GitHub \u062c\u062f\u064a\u062f\u0627\u064b \u0628\u0627\u0633\u0645 <code>slsa-provenance-lab<\/code>. \u0627\u0633\u062a\u0646\u0633\u062e\u0647 \u0645\u062d\u0644\u064a\u0627\u064b \u0648\u0623\u0636\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629.<\/p>\n<h4>main.go<\/h4>\n<pre><code>package main\n\nimport (\n\t\"fmt\"\n\t\"net\/http\"\n)\n\nfunc main() {\n\thttp.HandleFunc(\"\/\", func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintf(w, \"Hello from SLSA provenance lab!\")\n\t})\n\tfmt.Println(\"Server starting on :8080\")\n\thttp.ListenAndServe(\":8080\", nil)\n}<\/code><\/pre>\n<h4>go.mod<\/h4>\n<pre><code>module github.com\/YOUR_USER\/slsa-provenance-lab\n\ngo 1.22<\/code><\/pre>\n<h4>Dockerfile<\/h4>\n<pre><code>FROM golang:1.22-alpine AS builder\nWORKDIR \/app\nCOPY go.mod .\/\nCOPY main.go .\/\nRUN go build -o server .\n\nFROM alpine:3.19\nRUN apk --no-cache add ca-certificates\nCOPY --from=builder \/app\/server \/server\nENTRYPOINT [\"\/server\"]<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2 &mdash; \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 GHCR<\/h3>\n<p>\u0642\u0645 \u0628\u0645\u0635\u0627\u062f\u0642\u0629 Docker \u0645\u0639 GHCR \u062d\u062a\u0649 \u062a\u062a\u0645\u0643\u0646 \u0645\u0646 \u062f\u0641\u0639 \u0627\u0644\u0635\u0648\u0631:<\/p>\n<pre><code>echo $GITHUB_TOKEN | docker login ghcr.io -u YOUR_USER --password-stdin<\/code><\/pre>\n<p>\u0627\u0633\u062a\u0628\u062f\u0644 <code>YOUR_USER<\/code> \u0628\u0627\u0633\u0645 \u0645\u0633\u062a\u062e\u062f\u0645 GitHub \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0648 <code>GITHUB_TOKEN<\/code> \u0628\u0640 personal access token \u064a\u0645\u062a\u0644\u0643 \u0635\u0644\u0627\u062d\u064a\u0629 <code>write:packages<\/code>.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3 &mdash; workflow \u0627\u0644\u0628\u0646\u0627\u0621 \u0648\u0627\u0644\u062f\u0641\u0639 \u0627\u0644\u0623\u0633\u0627\u0633\u064a (\u0628\u062f\u0648\u0646 Provenance)<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/workflows\/build.yml<\/code> \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0627\u0644\u0635\u0648\u0631\u0629 \u062a\u064f\u0628\u0646\u0649 \u0648\u062a\u064f\u062f\u0641\u0639 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d \u0642\u0628\u0644 \u0625\u0636\u0627\u0641\u0629 provenance:<\/p>\n<pre><code>name: Build and Push (baseline)\n\non:\n  push:\n    tags:\n      - \"v*\"\n\nenv:\n  IMAGE: ghcr.io\/${{ github.repository_owner }}\/slsa-provenance-lab\n\njobs:\n  build:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      packages: write\n    steps:\n      - uses: actions\/checkout@v4\n\n      - uses: docker\/login-action@v3\n        with:\n          registry: ghcr.io\n          username: ${{ github.actor }}\n          password: ${{ secrets.GITHUB_TOKEN }}\n\n      - uses: docker\/build-push-action@v6\n        with:\n          context: .\n          push: true\n          tags: |\n            ${{ env.IMAGE }}:${{ github.ref_name }}\n            ${{ env.IMAGE }}:latest<\/code><\/pre>\n<p>\u0627\u062f\u0641\u0639 tag \u0627\u062e\u062a\u0628\u0627\u0631\u064a \u0644\u0644\u062a\u062d\u0642\u0642:<\/p>\n<pre><code>git add -A\ngit commit -m \"baseline build workflow\"\ngit tag v0.1.0\ngit push origin main --tags<\/code><\/pre>\n<p>\u062a\u0623\u0643\u062f \u0645\u0646 \u0638\u0647\u0648\u0631 \u0627\u0644\u0635\u0648\u0631\u0629 \u0641\u064a <code>ghcr.io\/YOUR_USER\/slsa-provenance-lab:v0.1.0<\/code> \u0642\u0628\u0644 \u0627\u0644\u0645\u062a\u0627\u0628\u0639\u0629.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u0625\u0646\u0634\u0627\u0621 SLSA Provenance \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 slsa-github-generator<\/h2>\n<h3>\u0644\u0645\u0627\u0630\u0627 \u064a\u062d\u0642\u0642 slsa-github-generator \u0645\u0633\u062a\u0648\u0649 SLSA Level 3<\/h3>\n<p>\u0627\u0644\u062e\u0627\u0635\u064a\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0644\u0640 SLSA Build Level 3 \u0647\u064a \u0623\u0646 provenance \u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647 \u0628\u0648\u0627\u0633\u0637\u0629 \u0645\u0646\u0635\u0629 \u0628\u0646\u0627\u0621 <strong>\u0644\u0627 \u064a\u0633\u062a\u0637\u064a\u0639<\/strong> \u0627\u0644\u0645\u0637\u0648\u0631 \u0627\u0644\u062a\u0623\u062b\u064a\u0631 \u0639\u0644\u064a\u0647\u0627. \u064a\u062d\u0642\u0642 <code>slsa-github-generator<\/code> \u0630\u0644\u0643 \u0645\u0646 \u062e\u0644\u0627\u0644 \u0627\u0644\u0639\u0645\u0644 \u0643\u0640 <strong>reusable workflow \u0645\u0633\u062a\u0636\u0627\u0641 \u0641\u064a \u0645\u0633\u062a\u0648\u062f\u0639 \u0645\u0646\u0641\u0635\u0644<\/strong>. \u0646\u0638\u0631\u0627\u064b \u0644\u0623\u0646 GitHub Actions \u062a\u0639\u0632\u0644 \u062a\u0634\u063a\u064a\u0644 reusable workflow \u0639\u0646 workflow \u0627\u0644\u0645\u064f\u0633\u062a\u062f\u0639\u064a\u060c \u0641\u0625\u0646 \u062e\u0637\u0648\u0629 \u0625\u0646\u0634\u0627\u0621 provenance \u0645\u062d\u0645\u064a\u0629 \u0636\u062f \u0627\u0644\u062a\u0644\u0627\u0639\u0628 &mdash; \u062d\u062a\u0649 \u0644\u0648 \u062a\u0645 \u0627\u062e\u062a\u0631\u0627\u0642 \u0648\u0638\u064a\u0641\u0629 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0644\u0627 \u064a\u0645\u0643\u0646 \u062a\u063a\u064a\u064a\u0631 \u0645\u062e\u0631\u062c\u0627\u062a provenance.<\/p>\n<h3>\u0627\u0644\u0640 Workflow<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/workflows\/slsa-provenance.yml<\/code>:<\/p>\n<pre><code>name: Build + SLSA Provenance (slsa-github-generator)\n\non:\n  push:\n    tags:\n      - \"v*\"\n\nenv:\n  IMAGE: ghcr.io\/${{ github.repository_owner }}\/slsa-provenance-lab\n\njobs:\n  # --- Job 1: Build and push the container image ---\n  build:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      packages: write\n    outputs:\n      image: ${{ env.IMAGE }}\n      digest: ${{ steps.push.outputs.digest }}\n    steps:\n      - uses: actions\/checkout@v4\n\n      - uses: docker\/login-action@v3\n        with:\n          registry: ghcr.io\n          username: ${{ github.actor }}\n          password: ${{ secrets.GITHUB_TOKEN }}\n\n      - id: push\n        uses: docker\/build-push-action@v6\n        with:\n          context: .\n          push: true\n          tags: |\n            ${{ env.IMAGE }}:${{ github.ref_name }}\n            ${{ env.IMAGE }}:latest\n\n  # --- Job 2: Generate SLSA Level 3 provenance ---\n  provenance:\n    needs: build\n    permissions:\n      actions: read\n      id-token: write\n      packages: write\n    uses: slsa-framework\/slsa-github-generator\/.github\/workflows\/generator_container_slsa3.yml@v2.1.0\n    with:\n      image: ${{ needs.build.outputs.image }}\n      digest: ${{ needs.build.outputs.digest }}\n    secrets:\n      registry-username: ${{ github.actor }}\n      registry-password: ${{ secrets.GITHUB_TOKEN }}<\/code><\/pre>\n<h3>\u0641\u0647\u0645 \u0627\u0644\u0640 Workflow<\/h3>\n<ul>\n<li>\u0648\u0638\u064a\u0641\u0629 <strong>build<\/strong> \u062a\u0628\u0646\u064a \u0627\u0644\u0635\u0648\u0631\u0629\u060c \u0648\u062a\u062f\u0641\u0639\u0647\u0627 \u0625\u0644\u0649 GHCR\u060c \u0648\u062a\u064f\u062e\u0631\u062c \u0645\u0631\u062c\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648 digest.<\/li>\n<li>\u0648\u0638\u064a\u0641\u0629 <strong>provenance<\/strong> \u062a\u0633\u062a\u062f\u0639\u064a reusable workflow \u0645\u0646 \u0645\u0633\u062a\u0648\u062f\u0639 <code>slsa-framework\/slsa-github-generator<\/code> \u0639\u0646\u062f tag \u0645\u062b\u0628\u0651\u062a (<code>@v2.1.0<\/code>). \u0646\u0638\u0631\u0627\u064b \u0644\u0623\u0646 \u0647\u0630\u0627 \u0627\u0644\u0640 workflow \u064a\u0639\u0645\u0644 \u0641\u064a \u0628\u064a\u0626\u0629 \u0645\u0639\u0632\u0648\u0644\u0629 \u064a\u062a\u062d\u0643\u0645 \u0628\u0647\u0627 \u0645\u0634\u0631\u0641\u0648 \u0625\u0637\u0627\u0631 \u0639\u0645\u0644 SLSA\u060c \u0641\u0625\u0646\u0647 \u064a\u0633\u062a\u0648\u0641\u064a \u0645\u062a\u0637\u0644\u0628\u0627\u062a SLSA Level 3 \u0644\u0645\u0646\u0635\u0629 \u0628\u0646\u0627\u0621 \u0645\u062d\u0635\u0651\u0646\u0629 \u0648\u063a\u064a\u0631 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u0632\u0648\u064a\u0631.<\/li>\n<li>\u064a\u062a\u0645 \u062a\u0648\u0642\u064a\u0639 provenance \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u062a\u0627\u062d \u0645\u0646 Sigstore (\u0634\u0647\u0627\u062f\u0629 Fulcio + \u0633\u062c\u0644 \u0634\u0641\u0627\u0641\u064a\u0629 Rekor) \u0648\u064a\u064f\u0631\u0641\u0642 \u0628\u0627\u0644\u0635\u0648\u0631\u0629 \u0641\u064a GHCR \u0643\u0640 cosign attestation.<\/li>\n<\/ul>\n<h3>\u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0640 Workflow<\/h3>\n<pre><code>git add .github\/workflows\/slsa-provenance.yml\ngit commit -m \"add SLSA provenance workflow\"\ngit tag v1.0.0\ngit push origin main --tags<\/code><\/pre>\n<p>\u0641\u064a \u062a\u0628\u0648\u064a\u0628 Actions \u0633\u062a\u0631\u0649 \u0648\u0638\u064a\u0641\u062a\u064a\u0646: <strong>build<\/strong> \u0648 <strong>provenance<\/strong>. \u062a\u0642\u0648\u0645 \u0648\u0638\u064a\u0641\u0629 provenance \u0628\u0625\u0646\u0634\u0627\u0621 attestation \u0628\u0635\u064a\u063a\u0629 in-toto\u060c \u0648\u062a\u0648\u0642\u064a\u0639\u0647\u0627 \u0639\u0628\u0631 Sigstore\u060c \u0648\u062f\u0641\u0639 \u0627\u0644\u0640 attestation \u0625\u0644\u0649 GHCR \u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631\u0629. \u0639\u0646\u062f \u0646\u062c\u0627\u062d \u0643\u0644\u062a\u0627 \u0627\u0644\u0648\u0638\u064a\u0641\u062a\u064a\u0646\u060c \u0633\u062a\u062d\u0645\u0644 \u0635\u0648\u0631\u062a\u0643 \u0641\u064a <code>ghcr.io\/YOUR_USER\/slsa-provenance-lab@sha256:&lt;digest&gt;<\/code> attestation \u0645\u0648\u0642\u0651\u0639\u0629 \u0644\u0640 SLSA Level 3 provenance.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u0625\u0646\u0634\u0627\u0621 Provenance \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 GitHub Artifact Attestations<\/h2>\n<h3>\u0646\u0647\u062c GitHub \u0627\u0644\u0623\u0635\u0644\u064a<\/h3>\n<p>\u064a\u0648\u0641\u0631 GitHub \u0622\u0644\u064a\u0629 \u0645\u062f\u0645\u062c\u0629 \u0644\u0625\u0646\u0634\u0627\u0621 build provenance \u0645\u0646 \u062e\u0644\u0627\u0644 action <code>actions\/attest-build-provenance<\/code>. \u0647\u0630\u0627 \u0627\u0644\u0646\u0647\u062c \u0623\u0628\u0633\u0637 \u0641\u064a \u0627\u0644\u0625\u0639\u062f\u0627\u062f \u0648\u064a\u062e\u0632\u0646 attestations \u0641\u064a \u0646\u0638\u0627\u0645 \u062a\u062e\u0632\u064a\u0646 attestations \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 GitHub\u060c \u0645\u0645\u0627 \u064a\u062c\u0639\u0644\u0647\u0627 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0623\u062f\u0627\u0629 <code>gh<\/code> CLI. \u0627\u0644\u0645\u0642\u0627\u064a\u0636\u0629 \u0647\u064a \u0623\u0646 \u0647\u0630\u0647 \u0627\u0644\u0640 attestations \u062a\u062a\u0628\u0639 \u0645\u0633\u0627\u0631 \u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 GitHub \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0623\u062f\u0648\u0627\u062a \u0625\u0637\u0627\u0631 \u0639\u0645\u0644 SLSA.<\/p>\n<h3>\u0627\u0644\u0640 Workflow<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>.github\/workflows\/github-attestation.yml<\/code>:<\/p>\n<pre><code>name: Build + GitHub Artifact Attestation\n\non:\n  push:\n    tags:\n      - \"v*\"\n\nenv:\n  IMAGE: ghcr.io\/${{ github.repository_owner }}\/slsa-provenance-lab\n\njobs:\n  build-and-attest:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      packages: write\n      attestations: write\n      id-token: write\n    steps:\n      - uses: actions\/checkout@v4\n\n      - uses: docker\/login-action@v3\n        with:\n          registry: ghcr.io\n          username: ${{ github.actor }}\n          password: ${{ secrets.GITHUB_TOKEN }}\n\n      - id: push\n        uses: docker\/build-push-action@v6\n        with:\n          context: .\n          push: true\n          tags: |\n            ${{ env.IMAGE }}:${{ github.ref_name }}\n            ${{ env.IMAGE }}:latest\n\n      - name: Generate artifact attestation\n        uses: actions\/attest-build-provenance@v2\n        with:\n          subject-name: ${{ env.IMAGE }}\n          subject-digest: ${{ steps.push.outputs.digest }}\n          push-to-registry: true<\/code><\/pre>\n<h3>\u0645\u0642\u0627\u0631\u0646\u0629 \u0627\u0644\u0646\u0647\u062c\u064a\u0646<\/h3>\n<table>\n<thead>\n<tr>\n<th>\u0627\u0644\u062c\u0627\u0646\u0628<\/th>\n<th>slsa-github-generator<\/th>\n<th>GitHub Artifact Attestations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u0645\u0633\u062a\u0648\u0649 SLSA<\/td>\n<td>Level 3 (reusable workflow \u0645\u0639\u0632\u0648\u0644)<\/td>\n<td>Level 2&ndash;3 (\u0645\u064f\u062f\u0627\u0631 \u0645\u0646 GitHub\u060c workflow \u0648\u0627\u062d\u062f)<\/td>\n<\/tr>\n<tr>\n<td>\u0623\u062f\u0627\u0629 \u0627\u0644\u062a\u062d\u0642\u0642<\/td>\n<td><code>slsa-verifier<\/code>\u060c <code>cosign<\/code><\/td>\n<td><code>gh attestation verify<\/code>\u060c <code>cosign<\/code><\/td>\n<\/tr>\n<tr>\n<td>\u062a\u062e\u0632\u064a\u0646 Attestation<\/td>\n<td>OCI registry (\u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631\u0629)<\/td>\n<td>GitHub attestation API + \u062f\u0641\u0639 \u0627\u062e\u062a\u064a\u0627\u0631\u064a \u0625\u0644\u0649 OCI<\/td>\n<\/tr>\n<tr>\n<td>\u062a\u0639\u0642\u064a\u062f \u0627\u0644\u0625\u0639\u062f\u0627\u062f<\/td>\n<td>workflow \u0645\u0646 \u0648\u0638\u064a\u0641\u062a\u064a\u0646 \u0645\u0639 \u0627\u0633\u062a\u062f\u0639\u0627\u0621 reusable workflow<\/td>\n<td>workflow \u0645\u0646 \u0648\u0638\u064a\u0641\u0629 \u0648\u0627\u062d\u062f\u0629 \u0645\u0639 \u062e\u0637\u0648\u0629 \u0625\u0636\u0627\u0641\u064a\u0629 \u0648\u0627\u062d\u062f\u0629<\/td>\n<\/tr>\n<tr>\n<td>\u0627\u0644\u062a\u0648\u0642\u064a\u0639<\/td>\n<td>Sigstore (Fulcio + Rekor)<\/td>\n<td>Sigstore (Fulcio + Rekor \u0639\u0628\u0631 GitHub)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u0643\u0644\u0627 \u0627\u0644\u0646\u0647\u062c\u064a\u0646 \u0635\u0627\u0644\u062d. \u0627\u0633\u062a\u062e\u062f\u0645 <code>slsa-github-generator<\/code> \u0639\u0646\u062f\u0645\u0627 \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u062a\u0648\u0627\u0641\u0642 \u0635\u0627\u0631\u0645 \u0645\u0639 SLSA Level 3 \u0645\u0639 \u062a\u062d\u0642\u0642 \u0639\u0628\u0631 \u0627\u0644\u0645\u0646\u0635\u0627\u062a. \u0627\u0633\u062a\u062e\u062f\u0645 GitHub artifact attestations \u0639\u0646\u062f\u0645\u0627 \u062a\u0631\u064a\u062f \u0625\u0639\u062f\u0627\u062f\u0627\u064b \u0623\u0628\u0633\u0637 \u0648\u064a\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0645\u0633\u062a\u0647\u0644\u0643\u0648\u0646 \u0644\u062f\u064a\u0643 \u0646\u0638\u0627\u0645 GitHub \u0627\u0644\u0628\u064a\u0626\u064a \u0628\u0627\u0644\u0641\u0639\u0644.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 Provenance \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 slsa-verifier<\/h2>\n<p>\u0623\u062f\u0627\u0629 <code>slsa-verifier<\/code> CLI \u0647\u064a \u0627\u0644\u0623\u062f\u0627\u0629 \u0627\u0644\u0631\u0633\u0645\u064a\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 SLSA provenance \u0627\u0644\u0645\u064f\u0646\u0634\u0623 \u0628\u0648\u0627\u0633\u0637\u0629 <code>slsa-github-generator<\/code>. \u062a\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0645\u0634\u0641\u0631\u060c \u0648\u0647\u0648\u064a\u0629 \u0627\u0644\u0628\u0627\u0646\u064a\u060c \u0648\u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0645\u0635\u062f\u0631\u060c \u0648 digest \u0627\u0644\u0640 artifact \u0641\u064a \u0623\u0645\u0631 \u0648\u0627\u062d\u062f.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1 &mdash; \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 Image Digest<\/h3>\n<p>\u0627\u0633\u062a\u0631\u062c\u0639 digest \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u062a\u064a \u062f\u0641\u0639\u062a\u0647\u0627:<\/p>\n<pre><code>IMAGE=ghcr.io\/YOUR_USER\/slsa-provenance-lab\nDIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' \"$IMAGE:v1.0.0\" | cut -d@ -f2)\necho \"$DIGEST\"<\/code><\/pre>\n<p>\u064a\u0645\u0643\u0646\u0643 \u0623\u064a\u0636\u0627\u064b \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 digest \u0641\u064a \u0645\u062e\u0631\u062c\u0627\u062a workflow \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 Actions \u0623\u0648 \u0641\u064a \u0635\u0641\u062d\u0629 \u062d\u0632\u0645\u0629 GHCR.<\/p>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2 &mdash; \u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u0646\u062c\u0627\u062d<\/h3>\n<pre><code>slsa-verifier verify-image \"ghcr.io\/YOUR_USER\/slsa-provenance-lab@$DIGEST\" \\\n  --source-uri github.com\/YOUR_USER\/slsa-provenance-lab \\\n  --source-tag v1.0.0<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>Verified build using builder \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/.github\/workflows\/generator_container_slsa3.yml@refs\/tags\/v2.1.0\" at commit abc123def456\nVERIFIED: SLSA verification passed<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3 &mdash; \u0641\u0634\u0644 \u0627\u0644\u062a\u062d\u0642\u0642: \u0639\u0646\u0648\u0627\u0646 URI \u0644\u0644\u0645\u0635\u062f\u0631 \u062e\u0627\u0637\u0626<\/h3>\n<p>\u062d\u0627\u0648\u0644 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0642\u0627\u0628\u0644 \u0645\u0633\u062a\u0648\u062f\u0639 \u0645\u0635\u062f\u0631 \u063a\u064a\u0631 \u0635\u062d\u064a\u062d:<\/p>\n<pre><code>slsa-verifier verify-image \"ghcr.io\/YOUR_USER\/slsa-provenance-lab@$DIGEST\" \\\n  --source-uri github.com\/YOUR_USER\/wrong-repo \\\n  --source-tag v1.0.0<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>FAILED: SLSA verification failed: source used to generate the binary does not match provenance<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 4 &mdash; \u0641\u0634\u0644 \u0627\u0644\u062a\u062d\u0642\u0642: Tag \u062e\u0627\u0637\u0626<\/h3>\n<pre><code>slsa-verifier verify-image \"ghcr.io\/YOUR_USER\/slsa-provenance-lab@$DIGEST\" \\\n  --source-uri github.com\/YOUR_USER\/slsa-provenance-lab \\\n  --source-tag v9.9.9<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>FAILED: SLSA verification failed: tag \"v9.9.9\" does not match provenance<\/code><\/pre>\n<h3>\u0645\u0627 \u0627\u0644\u0630\u064a \u064a\u062a\u062d\u0642\u0642 \u0645\u0646\u0647 slsa-verifier<\/h3>\n<ul>\n<li><strong>\u0647\u0648\u064a\u0629 \u0627\u0644\u0628\u0627\u0646\u064a<\/strong> &mdash; \u064a\u0624\u0643\u062f \u0623\u0646 provenance \u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647 \u0628\u0648\u0627\u0633\u0637\u0629 reusable workflow \u0627\u0644\u0631\u0633\u0645\u064a <code>slsa-github-generator<\/code> \u0639\u0646\u062f \u0627\u0644\u0645\u0631\u062c\u0639 \u0627\u0644\u0645\u062a\u0648\u0642\u0639.<\/li>\n<li><strong>\u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0645\u0635\u062f\u0631<\/strong> &mdash; \u064a\u062c\u0628 \u0623\u0646 \u064a\u0634\u064a\u0631 provenance \u0625\u0644\u0649 \u0639\u0646\u0648\u0627\u0646 URI \u0644\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0630\u064a \u062a\u062d\u062f\u062f\u0647.<\/li>\n<li><strong>tag\/\u0641\u0631\u0639 \u0627\u0644\u0645\u0635\u062f\u0631<\/strong> &mdash; \u064a\u062a\u062d\u0642\u0642 \u0627\u062e\u062a\u064a\u0627\u0631\u064a\u0627\u064b \u0645\u0646 \u0645\u0631\u062c\u0639 Git \u0627\u0644\u0630\u064a \u0623\u0637\u0644\u0642 \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n<li><strong>Artifact digest<\/strong> &mdash; \u064a\u062c\u0628 \u0623\u0646 \u064a\u062a\u0637\u0627\u0628\u0642 SHA-256 digest \u0627\u0644\u0645\u0633\u062c\u0644 \u0641\u064a provenance \u0645\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u062a\u064a \u062a\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627.<\/li>\n<li><strong>\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0633\u062c\u0644 \u0627\u0644\u0634\u0641\u0627\u0641\u064a\u0629<\/strong> &mdash; \u064a\u062a\u0645 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639 Sigstore \u0645\u0642\u0627\u0628\u0644 \u0633\u062c\u0644 \u0634\u0641\u0627\u0641\u064a\u0629 Rekor.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 cosign verify-attestation<\/h2>\n<p>\u064a\u0648\u0641\u0631 Cosign \u0637\u0631\u064a\u0642\u0629 \u0623\u062f\u0646\u0649 \u0645\u0633\u062a\u0648\u0649 \u0648\u0644\u0643\u0646 \u0623\u0643\u062b\u0631 \u0645\u0631\u0648\u0646\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 attestations \u0627\u0644\u0645\u0631\u0641\u0642\u0629 \u0628\u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a. \u0647\u0630\u0627 \u0645\u0641\u064a\u062f \u0639\u0646\u062f\u0645\u0627 \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0641\u062d\u0635 \u062d\u0645\u0648\u0644\u0629 provenance \u0627\u0644\u062e\u0627\u0645 \u0623\u0648 \u0639\u0646\u062f \u0627\u0644\u062f\u0645\u062c \u0641\u064a pipelines \u062a\u062d\u0642\u0642 \u0645\u062e\u0635\u0635\u0629.<\/p>\n<h3>\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0640 Attestation<\/h3>\n<pre><code>cosign verify-attestation \\\n  --type slsaprovenance \\\n  --certificate-identity-regexp \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/\" \\\n  --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n  ghcr.io\/YOUR_USER\/slsa-provenance-lab@$DIGEST<\/code><\/pre>\n<p>\u0639\u0646\u062f \u0627\u0644\u0646\u062c\u0627\u062d\u060c \u064a\u0637\u0628\u0639 cosign \u062d\u0645\u0648\u0644\u0629 attestation \u0628\u0635\u064a\u063a\u0629 JSON. \u0645\u062b\u0627\u0644 \u0645\u062e\u062a\u0635\u0631:<\/p>\n<pre><code>Verification for ghcr.io\/YOUR_USER\/slsa-provenance-lab@sha256:abc123... --\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - Existence of the claims in the transparency log was verified offline\n  - The code-signing certificate was verified using trusted certificate authority\n\n{\n  \"payloadType\": \"application\/vnd.in-toto+json\",\n  \"payload\": \"eyJfdHlwZSI6Imh0dHBz...\",\n  \"signatures\": [{ \"sig\": \"MEUCIQD...\" }]\n}<\/code><\/pre>\n<h3>\u0641\u062d\u0635 \u062d\u0645\u0648\u0644\u0629 Provenance<\/h3>\n<p>\u0641\u0643 \u062a\u0634\u0641\u064a\u0631 \u062d\u0645\u0648\u0644\u0629 base64 \u0644\u0641\u062d\u0635 \u062d\u0642\u0648\u0644 provenance:<\/p>\n<pre><code>cosign verify-attestation \\\n  --type slsaprovenance \\\n  --certificate-identity-regexp \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/\" \\\n  --certificate-oidc-issuer \"https:\/\/token.actions.githubusercontent.com\" \\\n  ghcr.io\/YOUR_USER\/slsa-provenance-lab@$DIGEST \\\n  | jq -r '.payload' | base64 -d | jq .<\/code><\/pre>\n<p>\u0627\u0644\u062d\u0642\u0648\u0644 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0641\u064a \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a:<\/p>\n<ul>\n<li><strong><code>buildDefinition.buildType<\/code><\/strong> &mdash; \u064a\u062d\u062f\u062f \u0646\u0638\u0627\u0645 \u0627\u0644\u0628\u0646\u0627\u0621 (\u0645\u062b\u0644 <code>https:\/\/slsa-framework.github.io\/github-actions-buildtypes\/workflow\/v1<\/code>).<\/li>\n<li><strong><code>buildDefinition.externalParameters.workflow<\/code><\/strong> &mdash; \u0645\u0644\u0641 workflow \u0648\u0627\u0644\u0645\u0631\u062c\u0639 \u0627\u0644\u0630\u064a \u0646\u0641\u0651\u0630 \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n<li><strong><code>buildDefinition.resolvedDependencies<\/code><\/strong> &mdash; commit \u0627\u0644\u0640 Git \u0648\u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649.<\/li>\n<li><strong><code>runDetails.builder.id<\/code><\/strong> &mdash; \u0639\u0646\u0648\u0627\u0646 URI \u0644\u0644\u0628\u0627\u0646\u064a \u0627\u0644\u0645\u0648\u062b\u0648\u0642 \u0627\u0644\u0630\u064a \u0623\u0646\u0634\u0623 provenance.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 gh attestation verify<\/h2>\n<p>\u0644\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u064f\u0634\u0647\u062f \u0639\u0644\u064a\u0647\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 GitHub artifact attestations \u0627\u0644\u0623\u0635\u0644\u064a\u0629 (\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2)\u060c \u062a\u0648\u0641\u0631 \u0623\u062f\u0627\u0629 <code>gh<\/code> CLI \u0623\u0628\u0633\u0637 \u0645\u0633\u0627\u0631 \u0644\u0644\u062a\u062d\u0642\u0642.<\/p>\n<h3>\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0640 Attestation<\/h3>\n<pre><code>gh attestation verify oci:\/\/ghcr.io\/YOUR_USER\/slsa-provenance-lab@$DIGEST \\\n  --owner YOUR_USER<\/code><\/pre>\n<p>\u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>Loaded digest sha256:abc123def456... for oci:\/\/ghcr.io\/YOUR_USER\/slsa-provenance-lab@sha256:abc123...\nLoaded 1 attestation from GitHub API\n\n\u2713 Verification succeeded!\n\nPredicateType: https:\/\/slsa.dev\/provenance\/v1\nSubjectName:   ghcr.io\/YOUR_USER\/slsa-provenance-lab\nSubjectDigest: sha256:abc123def456...\nSignerRepo:    YOUR_USER\/slsa-provenance-lab\nSignerWorkflow: .github\/workflows\/github-attestation.yml\nRunnerEnv:     github-hosted<\/code><\/pre>\n<h3>\u062a\u0646\u0632\u064a\u0644 \u0648\u0641\u062d\u0635 \u0627\u0644\u0640 Attestation<\/h3>\n<p>\u0644\u062a\u0646\u0632\u064a\u0644 \u062d\u0632\u0645\u0629 attestation \u0627\u0644\u062e\u0627\u0645 \u0644\u0644\u0641\u062d\u0635 \u0628\u062f\u0648\u0646 \u0627\u062a\u0635\u0627\u0644:<\/p>\n<pre><code>gh attestation download oci:\/\/ghcr.io\/YOUR_USER\/slsa-provenance-lab@$DIGEST \\\n  --owner YOUR_USER \\\n  --output attestation-bundle.json\n\n# Inspect the provenance predicate\ncat attestation-bundle.json | jq '.dsseEnvelope.payload' -r | base64 -d | jq .<\/code><\/pre>\n<p>\u064a\u0645\u0646\u062d\u0643 \u0647\u0630\u0627 predicate \u0627\u0644\u0643\u0627\u0645\u0644 \u0644\u0640 SLSA provenance\u060c \u0648\u0627\u0644\u0630\u064a \u064a\u0645\u0643\u0646\u0643 \u062a\u062e\u0632\u064a\u0646\u0647 \u0628\u062c\u0627\u0646\u0628 \u0633\u062c\u0644\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0644\u0623\u063a\u0631\u0627\u0636 \u0627\u0644\u062a\u062f\u0642\u064a\u0642.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 6: \u0641\u0631\u0636 Provenance \u0639\u0646\u062f \u0627\u0644\u0646\u0634\u0631<\/h2>\n<p>\u0625\u0646\u0634\u0627\u0621 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 provenance \u064a\u062f\u0648\u064a\u0627\u064b \u0623\u0645\u0631 \u0642\u064a\u0651\u0645\u060c \u0644\u0643\u0646 \u0627\u0644\u0641\u0627\u0626\u062f\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062d\u0642\u064a\u0642\u064a\u0629 \u062a\u0623\u062a\u064a \u0645\u0646 <strong>\u0627\u0644\u0641\u0631\u0636 \u0627\u0644\u0622\u0644\u064a<\/strong> \u0639\u0646\u062f \u0648\u0642\u062a \u0627\u0644\u0646\u0634\u0631. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646\u060c \u0633\u062a\u0642\u0648\u0645 \u0628\u062a\u0643\u0648\u064a\u0646 \u0633\u064a\u0627\u0633\u0629 \u0642\u0628\u0648\u0644 Kubernetes \u062a\u0631\u0641\u0636 \u0623\u064a \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u062a\u0641\u062a\u0642\u0631 \u0625\u0644\u0649 SLSA provenance \u0635\u0627\u0644\u062d.<\/p>\n<h3>\u0627\u0644\u062e\u064a\u0627\u0631 \u0623: Sigstore Policy Controller<\/h3>\n<p><a href=\"https:\/\/docs.sigstore.dev\/policy-controller\/overview\/\" target=\"_blank\" rel=\"noopener\">Sigstore policy-controller<\/a> \u0647\u0648 Kubernetes admission webhook \u064a\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0627\u0644\u0635\u0648\u0631 \u0648 attestations \u0642\u0628\u0644 \u0642\u0628\u0648\u0644 pods.<\/p>\n<h4>\u062a\u062b\u0628\u064a\u062a Policy Controller<\/h4>\n<pre><code>helm repo add sigstore https:\/\/sigstore.github.io\/helm-charts\nhelm repo update\nhelm install policy-controller sigstore\/policy-controller \\\n  --namespace cosign-system \\\n  --create-namespace<\/code><\/pre>\n<h4>\u0625\u0646\u0634\u0627\u0621 ClusterImagePolicy<\/h4>\n<p>\u0623\u0646\u0634\u0626 <code>slsa-policy.yml<\/code>:<\/p>\n<pre><code>apiVersion: policy.sigstore.dev\/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n  name: require-slsa-provenance\nspec:\n  images:\n    - glob: \"ghcr.io\/YOUR_USER\/**\"\n  authorities:\n    - keyless:\n        url: https:\/\/fulcio.sigstore.dev\n        identities:\n          - issuer: https:\/\/token.actions.githubusercontent.com\n            subjectRegExp: \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/.*\"\n      attestations:\n        - name: must-have-slsa-provenance\n          predicateType: https:\/\/slsa.dev\/provenance\/v1\n          policy:\n            type: cue\n            data: |\n              predicateType: \"https:\/\/slsa.dev\/provenance\/v1\"<\/code><\/pre>\n<p>\u0637\u0628\u0651\u0642\u0647:<\/p>\n<pre><code>kubectl apply -f slsa-policy.yml<\/code><\/pre>\n<h4>\u0648\u0633\u0645 \u0645\u0633\u0627\u062d\u0629 \u0627\u0644\u0627\u0633\u0645 \u0644\u0644\u0641\u0631\u0636<\/h4>\n<pre><code>kubectl label namespace default policy.sigstore.dev\/include=true<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u064a\u0627\u0631 \u0628: \u0633\u064a\u0627\u0633\u0629 Kyverno<\/h3>\n<p>\u0625\u0630\u0627 \u0643\u0646\u062a \u062a\u0633\u062a\u062e\u062f\u0645 Kyverno \u0643\u0645\u062d\u0631\u0643 \u0633\u064a\u0627\u0633\u0627\u062a\u060c \u0623\u0646\u0634\u0626 <code>kyverno-slsa-policy.yml<\/code>:<\/p>\n<pre><code>apiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n  name: require-slsa-provenance\nspec:\n  validationFailureAction: Enforce\n  webhookTimeoutSeconds: 30\n  rules:\n    - name: check-slsa-provenance\n      match:\n        any:\n          - resources:\n              kinds:\n                - Pod\n      verifyImages:\n        - imageReferences:\n            - \"ghcr.io\/YOUR_USER\/*\"\n          attestations:\n            - type: https:\/\/slsa.dev\/provenance\/v1\n              attestors:\n                - entries:\n                    - keyless:\n                        issuer: https:\/\/token.actions.githubusercontent.com\n                        subjectRegExp: \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/.*\"\n                        rekor:\n                          url: https:\/\/rekor.sigstore.dev<\/code><\/pre>\n<p>\u0637\u0628\u0651\u0642\u0647:<\/p>\n<pre><code>kubectl apply -f kyverno-slsa-policy.yml<\/code><\/pre>\n<h3>\u0627\u062e\u062a\u0628\u0627\u0631: \u0635\u0648\u0631\u0629 \u0645\u0639 Provenance (\u0645\u0642\u0628\u0648\u0644\u0629)<\/h3>\n<pre><code>kubectl run test-allowed \\\n  --image=ghcr.io\/YOUR_USER\/slsa-provenance-lab@$DIGEST \\\n  --restart=Never<\/code><\/pre>\n<p>\u0627\u0644\u0646\u062a\u064a\u062c\u0629 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629: \u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0621 pod \u0628\u0646\u062c\u0627\u062d.<\/p>\n<h3>\u0627\u062e\u062a\u0628\u0627\u0631: \u0635\u0648\u0631\u0629 \u0628\u062f\u0648\u0646 Provenance (\u0645\u0631\u0641\u0648\u0636\u0629)<\/h3>\n<p>\u0627\u062f\u0641\u0639 \u0635\u0648\u0631\u0629 \u0633\u0631\u064a\u0639\u0629 \u0628\u062f\u0648\u0646 provenance:<\/p>\n<pre><code>docker build -t ghcr.io\/YOUR_USER\/slsa-provenance-lab:no-provenance .\ndocker push ghcr.io\/YOUR_USER\/slsa-provenance-lab:no-provenance\n\nNO_PROV_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' \\\n  ghcr.io\/YOUR_USER\/slsa-provenance-lab:no-provenance | cut -d@ -f2)\n\nkubectl run test-rejected \\\n  --image=ghcr.io\/YOUR_USER\/slsa-provenance-lab@$NO_PROV_DIGEST \\\n  --restart=Never<\/code><\/pre>\n<p>\u0627\u0644\u0646\u062a\u064a\u062c\u0629 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629:<\/p>\n<pre><code>Error from server: admission webhook denied the request:\nimage ghcr.io\/YOUR_USER\/slsa-provenance-lab@sha256:... \nfailed to verify: no matching attestations found<\/code><\/pre>\n<p>\u0647\u0630\u0627 \u064a\u0624\u0643\u062f \u0623\u0646 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u0642\u0628\u0648\u0644 \u062a\u062d\u0638\u0631 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u062a\u064a \u062a\u0641\u062a\u0642\u0631 \u0625\u0644\u0649 SLSA provenance.<\/p>\n<h2>\u0641\u062d\u0635 \u0645\u0633\u062a\u0646\u062f Provenance<\/h2>\n<p>\u0641\u0647\u0645 \u0645\u0633\u062a\u0646\u062f provenance \u0623\u0645\u0631 \u0636\u0631\u0648\u0631\u064a \u0644\u0644\u062a\u062f\u0642\u064a\u0642 \u0648\u0628\u0646\u0627\u0621 \u0627\u0644\u0623\u062a\u0645\u062a\u0629 \u0641\u0648\u0642\u0647. \u0641\u064a\u0645\u0627 \u064a\u0644\u064a \u0645\u0633\u062a\u0646\u062f provenance \u062a\u0645\u062b\u064a\u0644\u064a \u0623\u0646\u0634\u0623\u0647 <code>slsa-github-generator<\/code>\u060c \u0645\u062a\u0628\u0648\u0639\u0627\u064b \u0628\u0634\u0631\u062d \u062d\u0642\u0644 \u0628\u062d\u0642\u0644.<\/p>\n<pre><code>{\n  \"_type\": \"https:\/\/in-toto.io\/Statement\/v1\",\n  \"subject\": [\n    {\n      \"name\": \"ghcr.io\/YOUR_USER\/slsa-provenance-lab\",\n      \"digest\": {\n        \"sha256\": \"abc123def456789...\"\n      }\n    }\n  ],\n  \"predicateType\": \"https:\/\/slsa.dev\/provenance\/v1\",\n  \"predicate\": {\n    \"buildDefinition\": {\n      \"buildType\": \"https:\/\/slsa-framework.github.io\/github-actions-buildtypes\/workflow\/v1\",\n      \"externalParameters\": {\n        \"workflow\": {\n          \"ref\": \"refs\/tags\/v1.0.0\",\n          \"repository\": \"https:\/\/github.com\/YOUR_USER\/slsa-provenance-lab\",\n          \"path\": \".github\/workflows\/slsa-provenance.yml\"\n        }\n      },\n      \"resolvedDependencies\": [\n        {\n          \"uri\": \"git+https:\/\/github.com\/YOUR_USER\/slsa-provenance-lab@refs\/tags\/v1.0.0\",\n          \"digest\": {\n            \"gitCommit\": \"a1b2c3d4e5f6...\"\n          }\n        }\n      ]\n    },\n    \"runDetails\": {\n      \"builder\": {\n        \"id\": \"https:\/\/github.com\/slsa-framework\/slsa-github-generator\/.github\/workflows\/generator_container_slsa3.yml@refs\/tags\/v2.1.0\"\n      },\n      \"metadata\": {\n        \"invocationId\": \"https:\/\/github.com\/YOUR_USER\/slsa-provenance-lab\/actions\/runs\/1234567890\/attempts\/1\",\n        \"startedOn\": \"2026-03-23T10:15:30Z\",\n        \"finishedOn\": \"2026-03-23T10:17:45Z\"\n      }\n    }\n  }\n}<\/code><\/pre>\n<h3>\u062a\u0641\u0635\u064a\u0644 \u0627\u0644\u062d\u0642\u0648\u0644<\/h3>\n<ul>\n<li><strong><code>_type<\/code><\/strong> &mdash; \u064a\u062d\u062f\u062f \u0647\u0630\u0627 \u0643\u0628\u064a\u0627\u0646 <a href=\"https:\/\/in-toto.io\" target=\"_blank\" rel=\"noopener\">in-toto<\/a> \u0627\u0644\u0625\u0635\u062f\u0627\u0631 1\u060c \u0648\u0647\u0648 \u062a\u0646\u0633\u064a\u0642 \u0627\u0644\u063a\u0644\u0627\u0641 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0645\u0646 \u0642\u0628\u0644 SLSA.<\/li>\n<li><strong><code>subject<\/code><\/strong> &mdash; \u0627\u0644\u0640 artifact \u0627\u0644\u0630\u064a \u064a\u0635\u0641\u0647 \u0647\u0630\u0627 \u0627\u0644\u0640 provenance. \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0627\u0633\u0645 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648 SHA-256 digest \u0627\u0644\u062e\u0627\u0635 \u0628\u0647\u0627. \u0647\u0630\u0627 \u0645\u0627 \u062a\u0637\u0627\u0628\u0642\u0647 \u0645\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u062a\u064a \u062a\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627.<\/li>\n<li><strong><code>predicateType<\/code><\/strong> &mdash; \u064a\u0639\u0644\u0646 \u0623\u0646 \u0647\u0630\u0627 \u0627\u0644\u0640 attestation \u0647\u0648 SLSA provenance \u0627\u0644\u0625\u0635\u062f\u0627\u0631 1. \u062a\u0633\u062a\u062e\u062f\u0645 \u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062a\u062d\u0642\u0642 \u0647\u0630\u0627 \u0644\u062a\u062d\u062f\u064a\u062f \u0643\u064a\u0641\u064a\u0629 \u062a\u0641\u0633\u064a\u0631 \u0627\u0644\u0640 predicate.<\/li>\n<li><strong><code>buildDefinition.buildType<\/code><\/strong> &mdash; \u064a\u062d\u062f\u062f \u0646\u0638\u0627\u0645 \u0627\u0644\u0628\u0646\u0627\u0621. \u0628\u0627\u0644\u0646\u0633\u0628\u0629 \u0644\u0640 GitHub Actions\u060c \u064a\u062e\u0628\u0631 \u0647\u0630\u0627 \u0627\u0644\u0645\u064f\u062d\u0642\u0642\u064a\u0646 \u0628\u062a\u0648\u0642\u0639 \u062d\u0642\u0648\u0644 \u062e\u0627\u0635\u0629 \u0628\u0640 GitHub.<\/li>\n<li><strong><code>buildDefinition.externalParameters.workflow<\/code><\/strong> &mdash; \u0645\u0644\u0641 workflow \u0648\u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0645\u0631\u062c\u0639 Git \u0627\u0644\u0630\u064a \u0623\u0637\u0644\u0642 \u0627\u0644\u0628\u0646\u0627\u0621. \u064a\u062c\u0628 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0637\u0627\u0628\u0642 \u0647\u0630\u0627 \u0645\u0639 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0645\u062a\u0648\u0642\u0639.<\/li>\n<li><strong><code>buildDefinition.resolvedDependencies<\/code><\/strong> &mdash; \u064a\u0633\u0631\u062f \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0627\u0644\u0645\u062d\u0644\u0648\u0644\u0629 \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 commit \u0627\u0644\u0640 Git \u0627\u0644\u062f\u0642\u064a\u0642. \u0647\u0630\u0647 \u0642\u0627\u0626\u0645\u0629 &#8220;\u0627\u0644\u0645\u0648\u0627\u062f&#8221; &mdash; \u062a\u0648\u0641\u0631 \u0633\u062c\u0644\u0627\u064b \u0643\u0627\u0645\u0644\u0627\u064b \u0644\u0645\u0627 \u062f\u062e\u0644 \u0641\u064a \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n<li><strong><code>runDetails.builder.id<\/code><\/strong> &mdash; \u0639\u0646\u0648\u0627\u0646 URI \u0644\u0644\u0628\u0627\u0646\u064a \u0627\u0644\u0630\u064a \u0623\u0646\u0634\u0623 provenance. \u0628\u0627\u0644\u0646\u0633\u0628\u0629 \u0644\u0640 SLSA Level 3\u060c \u064a\u062c\u0628 \u0623\u0646 \u064a\u0643\u0648\u0646 \u0647\u0630\u0627 \u0628\u0627\u0646\u064a\u0627\u064b \u0645\u0648\u062b\u0648\u0642\u0627\u064b \u0648\u0645\u0639\u0632\u0648\u0644\u0627\u064b \u0645\u062b\u0644 reusable workflow \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 <code>slsa-github-generator<\/code> \u0639\u0646\u062f tag \u0645\u062b\u0628\u0651\u062a.<\/li>\n<li><strong><code>runDetails.metadata<\/code><\/strong> &mdash; \u0627\u0644\u0637\u0648\u0627\u0628\u0639 \u0627\u0644\u0632\u0645\u0646\u064a\u0629 \u0648\u0631\u0627\u0628\u0637 \u0644\u062a\u0634\u063a\u064a\u0644 GitHub Actions \u0627\u0644\u0645\u062d\u062f\u062f\u060c \u0645\u0645\u0627 \u064a\u062a\u064a\u062d \u0627\u0644\u062a\u062a\u0628\u0639 \u0627\u0644\u0643\u0627\u0645\u0644 \u0645\u0646 artifact \u0625\u0644\u0649 \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n<\/ul>\n<p>\u0639\u0646\u062f \u0628\u0646\u0627\u0621 \u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u0622\u0644\u064a\u060c \u062a\u062d\u0642\u0642 \u062f\u0627\u0626\u0645\u0627\u064b \u0645\u0646: (1) \u062a\u0637\u0627\u0628\u0642 subject digest\u060c (2) \u0623\u0646 builder ID \u0639\u0644\u0649 \u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u0633\u0645\u0627\u062d \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643\u060c (3) \u062a\u0637\u0627\u0628\u0642 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0645\u0635\u062f\u0631 \u0648\u0627\u0644\u0645\u0631\u062c\u0639 \u0645\u0639 \u062a\u0648\u0642\u0639\u0627\u062a\u0643\u060c \u0648 (4) \u0635\u062d\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639.<\/p>\n<h2>\u0627\u0644\u062a\u0646\u0638\u064a\u0641<\/h2>\n<p>\u0623\u0632\u0644 \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0627\u0644\u062a\u064a \u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647\u0627 \u062e\u0644\u0627\u0644 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631:<\/p>\n<pre><code># Delete Kubernetes test pods\nkubectl delete pod test-allowed test-rejected --ignore-not-found\n\n# Remove the admission policy (Sigstore)\nkubectl delete clusterimagepolicy require-slsa-provenance --ignore-not-found\n\n# Or remove the Kyverno policy\nkubectl delete clusterpolicy require-slsa-provenance --ignore-not-found\n\n# Remove the namespace label\nkubectl label namespace default policy.sigstore.dev\/include-\n\n# Delete GHCR images (via GitHub UI or CLI)\ngh api -X DELETE \/user\/packages\/container\/slsa-provenance-lab\/versions\/PACKAGE_VERSION_ID\n\n# Delete the test repository if desired\n# gh repo delete YOUR_USER\/slsa-provenance-lab --yes<\/code><\/pre>\n<h2>\u0627\u0644\u0646\u0642\u0627\u0637 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629<\/h2>\n<ul>\n<li><strong>SLSA provenance \u0647\u0648 \u0633\u062c\u0644 \u0645\u0648\u0642\u0651\u0639 \u0648\u0645\u0642\u0627\u0648\u0645 \u0644\u0644\u062a\u0644\u0627\u0639\u0628<\/strong> \u0644\u0643\u064a\u0641\u064a\u0629 \u0628\u0646\u0627\u0621 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629. \u064a\u0644\u062a\u0642\u0637 \u0627\u0644\u0645\u0635\u062f\u0631 \u0648\u0627\u0644\u0628\u0627\u0646\u064a \u0648\u0645\u0639\u0644\u0645\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n<li><strong>SLSA Level 3 \u064a\u062a\u0637\u0644\u0628 \u0639\u0632\u0644 \u0627\u0644\u0628\u0646\u0627\u0621<\/strong> &mdash; \u064a\u062d\u0642\u0642 <code>slsa-github-generator<\/code> \u0630\u0644\u0643 \u0645\u0646 \u062e\u0644\u0627\u0644 \u062a\u0634\u063a\u064a\u0644 \u0625\u0646\u0634\u0627\u0621 provenance \u0641\u064a reusable workflow \u0645\u0646\u0641\u0635\u0644 \u0644\u0627 \u064a\u0633\u062a\u0637\u064a\u0639 \u0627\u0644\u0645\u0637\u0648\u0631 \u062a\u0639\u062f\u064a\u0644\u0647 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u062a\u0634\u063a\u064a\u0644.<\/li>\n<li><strong>GitHub artifact attestations<\/strong> \u062a\u0648\u0641\u0631 \u0628\u062f\u064a\u0644\u0627\u064b \u0623\u0628\u0633\u0637 \u064a\u062a\u0643\u0627\u0645\u0644 \u0628\u0625\u062d\u0643\u0627\u0645 \u0645\u0639 \u0646\u0638\u0627\u0645 GitHub \u0627\u0644\u0628\u064a\u0626\u064a\u060c \u0645\u0639 \u0645\u0642\u0627\u064a\u0636\u0627\u062a \u0641\u064a \u0642\u0627\u0628\u0644\u064a\u0629 \u0627\u0644\u0646\u0642\u0644 \u0639\u0628\u0631 \u0627\u0644\u0645\u0646\u0635\u0627\u062a.<\/li>\n<li><strong>\u064a\u062c\u0628 \u0623\u062a\u0645\u062a\u0629 \u0627\u0644\u062a\u062d\u0642\u0642<\/strong> &mdash; \u0627\u0633\u062a\u062e\u062f\u0645 <code>slsa-verifier<\/code> \u0641\u064a \u0628\u0648\u0627\u0628\u0627\u062a CI\u060c \u0648 <code>cosign verify-attestation<\/code> \u0641\u064a \u0627\u0644\u0633\u0643\u0631\u0628\u062a\u0627\u062a\u060c \u0623\u0648 Kubernetes admission controllers \u0644\u0641\u0631\u0636 provenance \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631.<\/li>\n<li><strong>\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 provenance \u064a\u0641\u062d\u0635 \u0627\u062f\u0639\u0627\u0621\u0627\u062a \u0645\u062a\u0639\u062f\u062f\u0629<\/strong>: \u0647\u0648\u064a\u0629 \u0627\u0644\u0628\u0627\u0646\u064a\u060c \u0648\u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0645\u0635\u062f\u0631\u060c \u0648\u0645\u0631\u062c\u0639 \u0627\u0644\u0645\u0635\u062f\u0631\u060c \u0648 artifact digest\u060c \u0648\u0635\u062d\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0645\u0634\u0641\u0631.<\/li>\n<li><strong>\u0627\u0641\u062d\u0635 \u0645\u0633\u062a\u0646\u062f\u0627\u062a provenance<\/strong> \u0644\u0641\u0647\u0645 \u0645\u0627 \u062a\u0645 \u0628\u0646\u0627\u0624\u0647 \u0628\u0627\u0644\u0636\u0628\u0637\u060c \u0648\u0645\u0646 \u0623\u064a commit\u060c \u0648\u0628\u0648\u0627\u0633\u0637\u0629 \u0623\u064a \u0628\u0627\u0646\u064a. \u0647\u0630\u0627 \u0647\u0648 \u0633\u062c\u0644 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0644\u062d\u0648\u0627\u062f\u062b \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629<\/h2>\n<p>\u0648\u0627\u0635\u0644 \u062a\u0639\u0632\u064a\u0632 \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u062a\u0648\u0631\u064a\u062f \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0627\u062a \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643:<\/p>\n<ul>\n<li><a href=\"\/ar\/ci-cd-security\/artifact-provenance-attestations-slsa-in-toto\/\">Artifact Provenance and Attestations: From SLSA to in-toto<\/a> &mdash; \u062a\u0639\u0645\u0642 \u0623\u0643\u062b\u0631 \u0641\u064a \u0625\u0637\u0627\u0631 \u0639\u0645\u0644 SLSA \u0648\u062a\u0646\u0633\u064a\u0642\u0627\u062a attestation \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 in-toto \u0648\u0643\u064a\u0641\u064a\u0629 \u0628\u0646\u0627\u0621 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0629 provenance \u0634\u0627\u0645\u0644\u0629 \u0639\u0628\u0631 pipeline \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u0627\u0644\u0643\u0627\u0645\u0644.<\/li>\n<li><a href=\"\/ar\/ci-cd-security\/signing-verifying-container-images-sigstore-cosign\/\">Signing and Verifying Container Images with Sigstore and Cosign<\/a> &mdash; \u062a\u0639\u0644\u0645 \u0643\u064a\u0641\u064a\u0629 \u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u062a\u0627\u062d \u0645\u0646 Sigstore\u060c \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0641\u064a CI\/CD\u060c \u0648\u0641\u0631\u0636 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0641\u064a Kubernetes.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629 SLSA (Supply-chain Levels for Software Artifacts) provenance \u0647\u0648 \u0633\u062c\u0644 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u062d\u0642\u0642 \u064a\u0635\u0641 \u0643\u064a\u0641\u064a\u0629 \u0628\u0646\u0627\u0621 artifact: \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u0644\u0645\u0635\u062f\u0631\u060c \u0648\u0645\u0646\u0635\u0629 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0648\u0646\u0642\u0637\u0629 \u0627\u0644\u062f\u062e\u0648\u0644\u060c \u0648\u0627\u0644\u0645\u0648\u0627\u062f \u0627\u0644\u0645\u062f\u062e\u0644\u0629. \u0639\u0646\u062f \u0625\u0631\u0641\u0627\u0642\u0647 \u0628\u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629\u060c \u064a\u062a\u064a\u062d provenance \u0644\u0644\u0645\u0633\u062a\u0647\u0644\u0643\u064a\u0646 \u0627\u0644\u0625\u062c\u0627\u0628\u0629 \u0639\u0644\u0649 \u0633\u0624\u0627\u0644 \u0628\u0627\u0644\u063a \u0627\u0644\u0623\u0647\u0645\u064a\u0629 \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631: &#8220;\u0647\u0644 \u062a\u0645 \u0628\u0646\u0627\u0621 \u0647\u0630\u0647 \u0627\u0644\u0635\u0648\u0631\u0629 \u0641\u0639\u0644\u0627\u064b \u0645\u0646 \u0627\u0644\u0645\u0635\u062f\u0631 \u0627\u0644\u0630\u064a \u0623\u062a\u0648\u0642\u0639\u0647\u060c \u0639\u0644\u0649 \u0645\u0646\u0635\u0629 \u0623\u062b\u0642 \u0628\u0647\u0627\u061f&#8221; \u0641\u064a \u0647\u0630\u0627 &#8230; <a title=\"\u0645\u062e\u062a\u0628\u0631 \u0639\u0645\u0644\u064a: \u0625\u0646\u0634\u0627\u0621 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0634\u0647\u0627\u062f\u0627\u062a SLSA Provenance \u0644\u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a\" class=\"read-more\" href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-generating-verifying-slsa-provenance-container-images\/\" aria-label=\"Read more about \u0645\u062e\u062a\u0628\u0631 \u0639\u0645\u0644\u064a: \u0625\u0646\u0634\u0627\u0621 \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0634\u0647\u0627\u062f\u0627\u062a SLSA Provenance \u0644\u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a\">\u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,67,27],"tags":[],"post_folder":[],"class_list":["post-814","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-labs","category-software-supply-chain"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=814"}],"version-history":[{"count":0,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/814\/revisions"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=814"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}