enforce-slsa

What problem does it solve?

Add an SLSA Verification step to an existing Harness pipeline to verify SLSA provenance attestations and optionally enforce OPA policy sets on provenance data. Supports CI and CD (Deployment) including CI-only pipelines — append a Deploy stage via Phase 3b when verifying before deploy. Supports Docker, ECR, GCR, GAR, ACR, HAR, and Local artifacts. Only works with existing pipelines. Use when asked to verify SLSA, enforce SLSA policies, add SLSA verification step, validate SLSA attestation, or gate deploy on SLSA provenance. Trigger phrases: enforce SLSA, SLSA verification, verify SLSA, SLSA policy enforcement, SlsaVerification, verify SLSA attestation, add SLSA verify step.

Core Features & Use Cases

• The wizard-based interaction guides users through the entire SLSA verification workflow, including placement, source inference, attestation verification, policy enforcement, and submission.
• Supports CI, CD (including containerized step groups for Deploy) and Security stages, with the ability to gate deployment on provenance attestations.
• Reuses the SLSA generation source to map provenance to verification fields and preserves consistency between generation and verification steps.
• Never executes pipelines during configuration; instructs users to run /run-pipeline to validate verifications after setup.
• Encourages complementary workflows: generate SLSA with /generate-slsa and manage policy sets via /create-policy.

Quick Start

Run /enforce-slsa to configure SLSA verification on an existing pipeline.