Skip to content

Update README.md #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jfrogdixit merged 2 commits into from
Jul 29, 2025
+14 −3
Merged

Update README.md #57

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e8186df
Update README.md
Balasubramanyamkosuri Jul 29, 2025
94804db
Merge branch 'main' into patch-16
jfrogdixit Jul 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions examples/jenkins-provenance/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
# Jenkins SLSA Evidence Example

This project demonstrates how to automate npm builds, generate SLSA provenance, convert it to Markdown, and attach the signed provenance evidence to the npm package in JFrog Artifactory using Jenkins Pipeline and JFrog CLI.
This repository provides a working example of a Jenkins Pipeline that builds an npm package, automatically generates SLSA-compliant provenance, and attaches this provenance as signed, verifiable evidence to the package in JFrog Artifactory.

This pipeline is a cornerstone of a secure software supply chain, creating a tamper-proof, auditable record that verifies how and where your software was built, all within your Jenkins ecosystem.

### **Key Features**

* **Automated npm Build**: Builds and publishes an npm package to Artifactory using the JFrog CLI.
* **SLSA Provenance Generation**: Leverages the **Jenkins SLSA Plugin** to automatically generate SLSA-compliant provenance metadata for the build.
* **Optional Markdown Summary**: Includes a helper script to generate a human-readable Markdown report from the provenance data.
* **Signed Evidence Attachment**: Attaches the SLSA provenance predicate to the corresponding npm package in Artifactory, cryptographically signing it for integrity.


## Overview

Expand Down Expand Up @@ -100,8 +110,9 @@ Trigger the pipeline in Jenkins. The pipeline will:
- **Attach Evidence:**
This crucial phase runs after the build is successful and handles the generation and attachment of the evidence.

* **Generate SLSA Provenance**: The **Jenkins SLSA Plugin** automatically hooks into the build process. After the build completes, it generates an SLSA-compliant provenance file (e.g., `predicate.json`) attesting to the build's inputs, steps, and outputs.
* **Attach Signed Evidence**: The final step uses `jf evd create` to attach the generated provenance file to the npm package that was published earlier. This creates a permanent, tamper-proof link between the package and its build provenance.
* **Generate SLSA Provenance**: The **Jenkins SLSA Plugin** automatically hooks into the build process. After the build completes, it generates an SLSA-compliant provenance file (e.g., `predicate.json`) attesting to the build's inputs, steps, and outputs.
* **Attach Signed Evidence**: The final step uses `jf evd create` to attach the generated provenance file to the npm package that was published earlier. This creates a permanent, tamper-proof link between the package and its build provenance.

```bash
jf evd create --package-name="$PACKAGE_NAME" --package-version="$PACKAGE_VERSION" --package-repo-name="$PACKAGE_REPO_NAME" --key="$PRIVATE_PEM" --key-alias="$KEY_ALIAS" --predicate="$PREDICATE_FILE_NAME" --predicate-type="$PREDICATE_TYPE" --markdown="$MARKDOWN_FILE_NAME"
```
Expand Down