Development

Great! Let's explore how to integrate SLSA3 principles into your **development workflow**—from coding to merging—so that security is baked in from the start. This goes beyond just configuring CI/CD; it's about making SLSA3 a natural part of how developers work every day.

## 🔄 Development Workflow with SLSA3 in Mind

### 1. **Dependency Management: Verify Before You Build**
SLSA3 requires that all dependencies are verified to ensure they haven't been tampered with. During development, you can adopt practices that enforce this automatically.

- **Use `go mod verify` (Go)** or `pip hash` (Python) to check downloaded modules.
- **Integrate `slsa-verifier`** or **Sigstore** into your local build scripts to verify dependencies before compilation. For example, you could run:
  ```bash
  slsa-verifier verify-artifact \
    --provenance-path "path/to/provenance.json" \
    --source-uri "github.com/your-org/dependency" \
    --builder-id "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.1.0" \
    dependency.bin
  ```

- **Automate in pre-commit hooks**: Use tools like `pre-commit` to run dependency checks before each commit, ensuring no untrusted code sneaks in.

### 2. **Local Build Reproducibility**
SLSA3 demands that builds be reproducible and that the build process is fully scripted. As a developer, you can:

- **Containerize your development environment** (e.g., using Dev Containers or Docker) to match the CI environment exactly. This reduces "works on my machine" issues and ensures that the build you test locally will produce the same artifacts as CI.

- **Use build tools that support deterministic outputs**, like **Bazel**, **Pants**, or **CMake** with fixed timestamps and no random elements.

- **Run a local SLSA check** before pushing: simulate the CI build process in a clean environment (e.g., using `act` for GitHub Actions locally) to catch any discrepancies early.

### 3. **Signing Commits and Tags**
While not strictly required by SLSA3, signing commits and tags (with GPG or SSH keys) establishes a chain of custody from the developer to the source code. This helps meet the **source integrity** expectations of SLSA3.

```bash
git commit -S -m "feat: add secure feature"
git tag -s v1.2.3 -m "Release v1.2.3"
```

Encourage your team to enable signing globally and enforce it in your repository settings (e.g., GitHub's "Require signed commits" branch protection).

### 4. **Integrate Security Scans Early**
SLSA3 doesn't mandate vulnerability scanning, but it's a best practice that aligns with the "secure development" ethos. Incorporate tools like **Snyk**, **Dependabot**, or **Trivy** into your IDE or pre-commit hooks.

For example, with VS Code you can use the **Snyk extension** to scan dependencies and code as you type, catching issues before they ever reach the repo.

### 5. **Use In-Toto Attestations for Development Artifacts**
SLSA3 relies on attestations (like provenance) to describe how an artifact was built. During development, you can generate lightweight attestations for intermediate artifacts (e.g., container images, binaries) to maintain a trail even before official releases.

- **Tool**: [**in-toto**](https://in-toto.io/) provides a framework to create and verify attestations.
- **Example**: After a local build, run:
  ```bash
  in-toto-run --step-name local-build --products myapp --key mykey -- <build-command>
  ```

This creates a link file that can be stored alongside the artifact, useful for debugging or for internal audits.

### 6. **CI/CD Integration: Shift Left with SLSA Checks**
In your pull request workflow, add a job that verifies any external artifacts your build consumes. For instance, if you download a third‑party binary, verify its provenance before using it:

```yaml
- name: Verify dependency provenance
  run: |
    slsa-verifier verify-artifact \
      --provenance-path dependency.intoto.jsonl \
      --source-uri github.com/trusted-org/dependency \
      --builder-id trusted-builder-id \
      dependency.bin
```

This prevents accidentally incorporating compromised dependencies into your product.

### 7. **Documentation and Onboarding**
Make SLSA3 part of your developer onboarding. Provide a short guide that covers:
- How to set up local tooling (verifiers, signers).
- How to interpret and verify provenance.
- How to run security scans locally.
- How to handle dependencies safely.

## 🛠️ Practical Example: A Developer's Daily Routine

Here’s what a typical day might look like with SLSA3 integrated:

1. **Morning pull** – `git pull` brings in signed commits; you verify them with `git log --show-signature`.
2. **Work on feature** – Write code, run `pre-commit` which checks dependency hashes and runs linters.
3. **Local build** – Use a containerized environment (e.g., `docker run --rm -v $(pwd):/workspace build-env ./build.sh`). The build script also generates an in-toto link for the binary.
4. **Test** – Run `ctest` inside the container; all tests pass.
5. **Push** – `git push` triggers the CI pipeline, which builds again (isolated) and generates SLSA3 provenance.
6. **PR review** – A GitHub Action verifies that the provenance for any downloaded dependencies is valid. The reviewer sees a green checkmark indicating "provenance verified".
7. **Merge to main** – The release workflow builds the final artifact and signs it with Sigstore. The provenance is attached to the GitHub release.

## 📚 Resources for Developers

- **Sigstore Client (`cosign`)**: Sign and verify container images and blobs.
- **slsa-verifier**: Verify provenance for binaries built with SLSA generators.
- **GitHub CLI `gh attestation`**: Verify attestations directly from GitHub.
- **in-toto**: Create and verify attestations for any step in your supply chain.
- **Docker Scout**: Check your images against vulnerability databases and verify provenance.

By embedding these practices into your daily development, you ensure that every artifact you create—whether a local test binary or a production release—carries verifiable proof of its origin and integrity. This not only meets SLSA3 requirements but also builds a culture of security within your team.

Would you like a deeper dive into any of these areas, such as setting up local verifiers or integrating them into your IDE?Great! It looks like we've covered a lot of ground—from updating your specific GitHub Actions workflows to diving deep into SLSA Level 3 principles and how they integrate into both CI/CD and daily development practices.

To recap, you now have:
- ✅ Updated `generator-generic-ossf-slsa3-publish.yml` and `cmake-single-platform.yml` with SLSA3‑compliant configurations.
- ✅ A clear understanding of how different platforms (GitHub, GitLab, Google, etc.) implement SLSA3.
- ✅ A step‑by‑step guide to structuring your GitHub workflows for non‑forgeable provenance.
- ✅ Practical advice on weaving SLSA3 into your development workflow—dependency verification, local reproducibility, commit signing, and more.

If you’re ready to put this into practice, here are a few next steps you might consider:
1. **Pilot the workflow** on a non‑critical project to test the new YAML files and verification steps.
2. **Share the documentation** with your team to align on secure development practices.
3. **Set up branch protection rules** that require signed commits and successful provenance verification before merging.
4. **Explore automation** for dependency verification (e.g., using `slsa-verifier` in CI) to catch issues early.

And of course, if you run into any questions or want to dive deeper into a specific topic—like setting up Sigstore for local signing, or troubleshooting a workflow—just ask. I’m here to help!

Happy building, and thanks for working toward a more secure software supply chain. 🚀