Azure Pipelines Task for Xygeni Build Attestation

Overview

This task can be used to generate a SLSA Provenance attestation for a build in Azure Pipelines.

The task uses Xygeni SALT (Software Attestations Layer for Trust), the component for generating, registering and verifying software attestations.

Need some help to understand Software Attestations? Visit Build Security Concepts, where Software Attestations and SLSA Provenance are described.

For more information on Xygeni Build Attestation (SALT), visit Xygeni Build Security.

Software Attestations and SLSA Provenance

A software attestation is an assertion made about a piece of software. A software attestation is an authenticated statement (metadata) about a software artifact or collection of software artifacts.

Attestations provide a verifiable record of the steps done for building the final software artifacts, including input materials for each step and the build commands run.

A provenance attestation is a statement about how, when and where a software artifact was built. The SLSA standard defines a provenance attestation format and model.

This task automates the process of generating SLSA Provenance attestations using Xygeni SALT, linking input sources with generated artifacts such as executables and images.

Installing the task

Go to the Visual Studio Marketplace, search for Xygeni Build Attestation and install it, or go directly to the extension page at Xygeni Build Attestation.

Using the task

Add the task to your pipeline: Search Xygeni Build Attestation

Search Extension

Edit the task inputs using the right panel (1), or in the pipeline YAML editor (2).

Edit Task

Optionally publish the signed attestation and the more user-friendly unsigned attestation using the standard PublishBuildArtifacts task (3).

Task properties

The task has the following properties:

Name	Description	Default
pipeline	Pipeline Build ID	`$(Build.DefinitionName)/$(Build.BuildId)`
project	Project name	`$(Build.Repository.Name)`
xygeniToken	Xygeni API token (`env:VARNAME` or `file:PATH`), alternatively passed in a `XYGENI_TOKEN` pipeline / environment variable	`$(XYGENI_TOKEN)`
repoDir	Repository directory	`$(Build.Repository.LocalPath)`
srcDir	Source directory	`$(Build.SourcesDirectory)`
executable	Executable name
image	Container image name (e.g., myorg/myimage:latest)
keyless	Use keyless attestation (default: `false`)	true
key	Signing private key (`env:VARNAME` or `file:PATH`), alternatively passed in a `SALT_PRIVATE_KEY` pipeline / environment variable	`env:SALT_PRIVATE_KEY`
keypass	The password for the signing private key	`env:SALT_PRIVATE_KEY_PASS`
pubkey	The signing public key for verification, in PEM format. Use either this or cert.	`env:SALT_PUBLIC_KEY`
cert	The signing public key or certificate for verification, in PEM format. Use either this or pubkey.
outDir	Directory where attestation files will be saved	`$(Build.ArtifactStagingDirectory)/attestation`
signedAttestation	Signed attestation file	`provenance.json`
unsignedAttestation	Unsigned attestation file	`provenance-unsigned.json`
upload	Upload signed attestation to Xygeni	true

Keyless mode (ephemeral key will be generated, certified and registered in a transparency log) is the default mode. If you prefer to use your own keys for signing and verification of attestations, set keyless to false and give values to the key, keypass and pubkey or cert inputs.

The 'keyless' mode is described in Keyless signing and in using keyless signatures.

Working with attestations

Once the provenance attestation is generate, it could be distributed along with the software artifact(s) referenced. The attestation is by default registered in the transparency log of Xygeni, and stored as a local file that could be published as artifacts for the build, and also stored in your registry of choice. For example, a container image could have the provenance attestation co-located with the image in the same OCI registry, so consumers of the image may use it to verify the provenance and use it as a source of trust.

Xygeni SALT supports other attestation formats.

License

The task is released under the Apache 2.0 License.

Xygeni Build Attestation

Xygeni Security