1. Resources
  2. /
  3. Plugins
  4. /
  5. provenance-generator-buildkite-plugin

SLSA Provenance Generator Buildkite Plugin

A proof-of-concept SLSA provenance generator for Buildkite.

It is based on SLSA GitHub Actions Demo, and the following is the SLSA description from this repository:

Background

SLSA is a framework intended to codify and promote secure software supply-chain practices. SLSA helps trace software artifacts (e.g. binaries) back to the build and source control systems that produced them using in-toto’s Attestation metadata format.

Description

This proof-of-concept GitHub Action demonstrates an initial SLSA integration conformant with SLSA Level 1. This provenance can be uploaded to the native artifact store or to any other artifact repository.

While there are no integrity guarantees on the produced provenance at L1, publishing artifact provenance in a common format opens up opportunities for automated analysis and auditing. Additionally, moving build definitions into source control and onto well-supported, secure build systems represents a marked improvement from the ecosystem’s current state.

Example Usage

Generate provenance for single build artifact:

steps:
  - label: "🔨 Create artifact and generate provenance"
    command:
      - "mkdir build"
      - "echo 'build artifact' > build/artifact.txt"
    artifact_paths:
      - "build/*"
    plugins:
      - hi-artem/provenance-generator#v1.1.11:
          output-path: "provenance.json"

Generate provenance for multiple build artifacts:

steps:
  - label: "🔨 Create artifacts and generate provenance"
    command:
      - "mkdir build"
      - "echo 'build artifact 1' > build/artifact1.txt"
      - "echo 'build artifact 2' > build/artifact2.txt"
      - "echo 'build artifact 2' > build/artifact3.txt"
    artifact_paths:
      - "build/*"
    plugins:
      - hi-artem/provenance-generator#v1.1.11:
          output-path: "provenance.json"

Security and Support

This is demo repo and is not intended to be used in production contexts. As such, we cannot make any commitments of future support.

Contributing

  1. Fork the repo
  2. Make the changes
  3. Run the tests
  4. Commit and push your changes
  5. Send a pull request

Recommended plugins

Trivy

Trivy Security Scanning.

equinixmetal-buildkite equinixmetal-buildkite

Terraform-OPA

Runs Open Policy Agent against Terraform plans.

echoboomer echoboomer

sonarscanner

Run sonar-scanner.

wayfair-incubator wayfair-incubator

The plugins listed on this webpage are provided for informational purposes only. They have not undergone any formal security review or assessment. While we strive to provide useful resources, we cannot guarantee the safety, reliability, or integrity of these plugins. Users are strongly advised to conduct their own security evaluations before downloading, installing, or using any plugin. By using these plugins, you acknowledge and accept any risks associated with their use. We disclaim any liability for any harm or damages arising from the use of the plugins listed.

Start turning complexity into an advantage

Create an account to get started with a 30-day free trial. No credit card required.

Get started View pricing
Buildkite Pipelines

Platform

  1. Pipelines
  2. Pipeline templates
  3. Public pipelines
  4. Test Engine
  5. Package Registries
  6. Mobile Delivery Cloud
  7. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Webinars
  5. Plugins
  6. Case studies
  7. Events
  8. Migration Services
  9. Comparisons

Company

  1. About
  2. Careers
  3. Press
  4. Brand assets
  5. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for AI/ML
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2025