Skip to content

feat(slsa): add RequireAttestation configuration for strict SLSA verification#259

Merged
leodido merged 3 commits intomainfrom
slsa-require-attestation
Oct 29, 2025
Merged

feat(slsa): add RequireAttestation configuration for strict SLSA verification#259
leodido merged 3 commits intomainfrom
slsa-require-attestation

Conversation

@leodido
Copy link
Contributor

@leodido leodido commented Oct 29, 2025
edited
Loading

Summary

Adds support for LEEWAY_SLSA_REQUIRE_ATTESTATION environment variable and --slsa-require-attestation CLI flag to control behavior when SLSA attestations are missing or invalid.

Problem

When attestations from one PR fail verification in another PR (e.g., due to source URI mismatches like refs/pull/11265/merge vs refs/pull/11279/merge), the current behavior downloads artifacts without verification. This creates a security gap where unverified artifacts are used without being re-signed with the correct attestation.

Fixes https://linear.app/ona-team/issue/CLC-2053/mechanism-to-control-behavior-when-slsa-attestations-are-missing-or

Solution

Add RequireAttestation configuration that enables two verification modes:

Permissive Mode (RequireAttestation=false, default)

  • Missing/invalid attestation → Download without verification (with warning)
  • Provides graceful degradation and backward compatibility
  • Useful during migration or when some artifacts lack attestations

Strict Mode (RequireAttestation=true)

  • Missing/invalid attestation → Skip download, build locally with correct attestation
  • Enables self-healing for cross-PR attestation mismatches
  • Auto-enabled when provenance.slsa=true in WORKSPACE.yaml
  • Recommended for production environments requiring SLSA L3 compliance

Changes

Configuration (Commit 1)

  • Add EnvvarSLSARequireAttestation constant to cmd/root.go and pkg/leeway/workspace.go
  • Add --slsa-require-attestation flag to build command
  • Update parseSLSAConfig() to read and apply RequireAttestation setting
  • Update ApplySLSADefaults() to auto-enable RequireAttestation with SLSA L3
  • Enhance documentation in pkg/leeway/cache/types.go
  • Update implementation comments in pkg/leeway/cache/remote/s3.go

Note: The actual RequireAttestation logic in downloadWithSLSAVerification() was already implemented; this PR adds the configuration mechanism.

Tests (Commit 2)

  • Extend TestBuildCommandFlags with 3 test cases for --slsa-require-attestation flag
  • Add TestParseSLSAConfig with 6 test cases for configuration parsing logic
  • Tests verify flag parsing, environment variable handling, and CLI flag precedence

Documentation (Commit 3)

  • Add "SLSA Cache Verification Modes" section to README.md
  • Add LEEWAY_SLSA_REQUIRE_ATTESTATION to CLI help text
  • Provide examples for overriding the mode

Usage

Via Environment Variable

export LEEWAY_SLSA_REQUIRE_ATTESTATION=true
leeway build :app

Via CLI Flag

leeway build :app --slsa-require-attestation

Automatic (Workspace Config)

# WORKSPACE.yaml
provenance:
  enabled: true
  slsa: true  # Automatically enables RequireAttestation=true

Testing

All tests pass:

$ go test ./cmd/... ./pkg/leeway/cache/...
PASS
ok      github.com/gitpod-io/leeway/cmd                         0.761s
ok      github.com/gitpod-io/leeway/pkg/leeway/cache/remote    62.909s

Implementation Notes

  • Only affects AWS S3 remote cache (GCP/gsutil does not support SLSA verification)
  • The RequireAttestation logic is used in one place: S3Cache.downloadWithSLSAVerification() (line 484)
  • Existing tests in s3_slsa_test.go and s3_resilience_test.go already verify the behavior

leodido and others added 3 commits October 29, 2025 13:19
@leodido @ona-agent
feat(slsa): add RequireAttestation configuration for strict SLSA veri…
cd00a6e 
…fication

Add support for LEEWAY_SLSA_REQUIRE_ATTESTATION environment variable and
--slsa-require-attestation CLI flag to control behavior when SLSA
attestations are missing or invalid.

When RequireAttestation=true (strict mode):
- Missing/invalid attestation → skip download, build locally
- Enables self-healing for cross-PR attestation mismatches
- Auto-enabled when provenance.slsa=true in WORKSPACE.yaml

When RequireAttestation=false (permissive mode, default):
- Missing/invalid attestation → download without verification (with warning)
- Provides graceful degradation and backward compatibility

Changes:
- Add EnvvarSLSARequireAttestation constant to cmd/root.go and pkg/leeway/workspace.go
- Add --slsa-require-attestation flag to build command
- Update parseSLSAConfig() to read and apply RequireAttestation setting
- Update ApplySLSADefaults() to auto-enable RequireAttestation with SLSA L3
- Enhance documentation in pkg/leeway/cache/types.go
- Update implementation comments in pkg/leeway/cache/remote/s3.go

The actual RequireAttestation logic in downloadWithSLSAVerification() was
already implemented; this commit adds the configuration mechanism.

Co-authored-by: Ona <no-reply@ona.com>
@leodido @ona-agent
test(slsa): add comprehensive tests for RequireAttestation configuration
fbdda50 
Add test coverage for the new RequireAttestation configuration:

- Extend TestBuildCommandFlags with 3 test cases for --slsa-require-attestation flag
  - Default value (false)
  - Enabled via flag
  - Explicitly disabled via flag

- Add TestParseSLSAConfig with 6 test cases for configuration parsing logic
  - Verification disabled
  - Verification enabled without source URI (error case)
  - Verification enabled with source URI
  - RequireAttestation via environment variable
  - RequireAttestation via CLI flag (overrides env var)
  - CLI flag disables RequireAttestation (overrides env var)

Tests follow existing patterns in build_test.go and verify:
- Flag parsing and default values
- Environment variable handling
- CLI flag precedence over environment variables
- Configuration object creation with correct RequireAttestation value

All tests pass successfully.

Co-authored-by: Ona <no-reply@ona.com>
@leodido @ona-agent
docs(slsa): document RequireAttestation modes and configuration
024be4d 
Add comprehensive documentation for SLSA cache verification modes:

README.md changes:
- Add new section "SLSA Cache Verification Modes" explaining:
  - Permissive Mode (RequireAttestation=false): Downloads without verification
    when attestation is missing, provides graceful degradation
  - Strict Mode (RequireAttestation=true): Skips download and builds locally
    when attestation is missing, enables self-healing for cross-PR mismatches
- Add LEEWAY_SLSA_REQUIRE_ATTESTATION to auto-enabled environment variables list
- Add "Require attestation" to SLSA L3 feature list
- Provide examples for overriding the mode via CLI flag and environment variable

CLI help text changes (cmd/root.go):
- Add LEEWAY_SLSA_REQUIRE_ATTESTATION to environment variables list
- Brief description: "Require valid attestations; missing/invalid → build locally"

Documentation now covers:
- What: Clear explanation of both verification modes
- Why: Use cases and benefits of each mode
- How: Configuration methods with practical examples
- When: Auto-enabled with SLSA L3, can be overridden

Co-authored-by: Ona <no-reply@ona.com>
@leodido leodido self-assigned this Oct 29, 2025
@leodido leodido merged commit 913dd16 into main Oct 29, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@csweichel csweichel Awaiting requested review from csweichel

@kylos101 kylos101 Awaiting requested review from kylos101

@geropl geropl Awaiting requested review from geropl

@corneliusludmann corneliusludmann Awaiting requested review from corneliusludmann

1 more reviewer

@aledbf aledbf aledbf approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@leodido leodido

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leodido @aledbf