You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Eventually, I think this list should be moved closer to the VSA spec itself so that users can reference the schema and these specific requirements together.
SLSA has two main phases: data production and policy evaluation.
Provenance attestations are data production.
They are generated by authoritative sources, sources responsible for overseeing the claims to which they attest.
"VSAs" are policy evaluations.
A policy can be evaluated against the tamper-resistant provenance attestations to produce a policy decision.
The organization uses VSAs to determine whether a specific artifact, package, repository revision is suitable for the next phase of the SDLC.
Originally posted by @marcelamelara in #1094 (comment)
The text was updated successfully, but these errors were encountered: