GitLab SLSA

This page contains information pertaining to GitLab SLSA support.

Related topics:

• Provenance version 1 buildType specification

SLSA provenance generation

GitLab offers a SLSA Level 1 compliant provenance statement that can be automatically generated for all build artifacts produced by the GitLab Runner. This provenance statement is produced by the runner itself.

Sign and verify SLSA provenance with a CI/CD Component

The GitLab SLSA CI/CD component provides configurations for:

• Signing runner-generated provenance statements.
• Generating Verification Summary Attestations (VSA) for job artifacts.

For more information and example configurations, see the SLSA Component documentation.