feat(slsa): add RequireAttestation configuration for strict SLSA verification #259
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…fication Add support for LEEWAY_SLSA_REQUIRE_ATTESTATION environment variable and --slsa-require-attestation CLI flag to control behavior when SLSA attestations are missing or invalid. When RequireAttestation=true (strict mode): - Missing/invalid attestation → skip download, build locally - Enables self-healing for cross-PR attestation mismatches - Auto-enabled when provenance.slsa=true in WORKSPACE.yaml When RequireAttestation=false (permissive mode, default): - Missing/invalid attestation → download without verification (with warning) - Provides graceful degradation and backward compatibility Changes: - Add EnvvarSLSARequireAttestation constant to cmd/root.go and pkg/leeway/workspace.go - Add --slsa-require-attestation flag to build command - Update parseSLSAConfig() to read and apply RequireAttestation setting - Update ApplySLSADefaults() to auto-enable RequireAttestation with SLSA L3 - Enhance documentation in pkg/leeway/cache/types.go - Update implementation comments in pkg/leeway/cache/remote/s3.go The actual RequireAttestation logic in downloadWithSLSAVerification() was already implemented; this commit adds the configuration mechanism. Co-authored-by: Ona <[email protected]>
Add test coverage for the new RequireAttestation configuration: - Extend TestBuildCommandFlags with 3 test cases for --slsa-require-attestation flag - Default value (false) - Enabled via flag - Explicitly disabled via flag - Add TestParseSLSAConfig with 6 test cases for configuration parsing logic - Verification disabled - Verification enabled without source URI (error case) - Verification enabled with source URI - RequireAttestation via environment variable - RequireAttestation via CLI flag (overrides env var) - CLI flag disables RequireAttestation (overrides env var) Tests follow existing patterns in build_test.go and verify: - Flag parsing and default values - Environment variable handling - CLI flag precedence over environment variables - Configuration object creation with correct RequireAttestation value All tests pass successfully. Co-authored-by: Ona <[email protected]>
Add comprehensive documentation for SLSA cache verification modes:
README.md changes:
- Add new section "SLSA Cache Verification Modes" explaining:
- Permissive Mode (RequireAttestation=false): Downloads without verification
when attestation is missing, provides graceful degradation
- Strict Mode (RequireAttestation=true): Skips download and builds locally
when attestation is missing, enables self-healing for cross-PR mismatches
- Add LEEWAY_SLSA_REQUIRE_ATTESTATION to auto-enabled environment variables list
- Add "Require attestation" to SLSA L3 feature list
- Provide examples for overriding the mode via CLI flag and environment variable
CLI help text changes (cmd/root.go):
- Add LEEWAY_SLSA_REQUIRE_ATTESTATION to environment variables list
- Brief description: "Require valid attestations; missing/invalid → build locally"
Documentation now covers:
- What: Clear explanation of both verification modes
- Why: Use cases and benefits of each mode
- How: Configuration methods with practical examples
- When: Auto-enabled with SLSA L3, can be overridden
Co-authored-by: Ona <[email protected]>
leodido
requested review from
aledbf,
corneliusludmann,
csweichel,
geropl and
kylos101
aledbf
approved these changes
Oct 29, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for
LEEWAY_SLSA_REQUIRE_ATTESTATIONenvironment variable and--slsa-require-attestationCLI flag to control behavior when SLSA attestations are missing or invalid.Problem
When attestations from one PR fail verification in another PR (e.g., due to source URI mismatches like
refs/pull/11265/mergevsrefs/pull/11279/merge), the current behavior downloads artifacts without verification. This creates a security gap where unverified artifacts are used without being re-signed with the correct attestation.Fixes https://linear.app/ona-team/issue/CLC-2053/mechanism-to-control-behavior-when-slsa-attestations-are-missing-or
Solution
Add
RequireAttestationconfiguration that enables two verification modes:Permissive Mode (RequireAttestation=false, default)
Strict Mode (RequireAttestation=true)
provenance.slsa=truein WORKSPACE.yamlChanges
Configuration (Commit 1)
EnvvarSLSARequireAttestationconstant tocmd/root.goandpkg/leeway/workspace.go--slsa-require-attestationflag to build commandparseSLSAConfig()to read and apply RequireAttestation settingApplySLSADefaults()to auto-enable RequireAttestation with SLSA L3pkg/leeway/cache/types.gopkg/leeway/cache/remote/s3.goNote: The actual RequireAttestation logic in
downloadWithSLSAVerification()was already implemented; this PR adds the configuration mechanism.Tests (Commit 2)
TestBuildCommandFlagswith 3 test cases for--slsa-require-attestationflagTestParseSLSAConfigwith 6 test cases for configuration parsing logicDocumentation (Commit 3)
LEEWAY_SLSA_REQUIRE_ATTESTATIONto CLI help textUsage
Via Environment Variable
Via CLI Flag
Automatic (Workspace Config)
Testing
All tests pass:
Implementation Notes
S3Cache.downloadWithSLSAVerification()(line 484)s3_slsa_test.goands3_resilience_test.goalready verify the behavior