Enterprise Software Supply Chain Manager (ESSCM)
Attestation
Component attestation and SCAL levels in Safeguard.sh
Attestation
The Attestation tab displays supply chain verification information for each component, including the Safeguard Component Attestation Level (SCAL) which indicates the trustworthiness of a component's origin and build process.
Overview
Attestation helps you understand:
- Where a component came from
- How it was built
- Whether it can be trusted
- If the build is reproducible
SCAL Levels
Safeguard Component Attestation Level (SCAL) rates components from 0-5, where lower is better:
| Level | Name | Description |
|---|---|---|
| SCAL 0 | Fully Attested | Complete attestation chain including reproducible builds, signatures, and transparency logs. Lowest risk. |
| SCAL 1 | Attested Build & Source | Build provenance and source code are verified. |
| SCAL 2 | Attested Component | Component has basic attestation (e.g., signed package). |
| SCAL 3 | Known Component | Component is identified in registries but has no attestation. |
| SCAL 4 | Partially Unknown | Component has limited verification. |
| SCAL 5 | Unknown Component | Component origin cannot be verified. Highest risk. |
SCAL Visual Indicators
| Level | Color | Meaning |
|---|---|---|
| SCAL 0 | 🟢 Green | Excellent - Fully verified |
| SCAL 1 | 🟢 Green | Good - Well attested |
| SCAL 2 | 🟡 Yellow | Fair - Partial attestation |
| SCAL 3 | 🟠 Orange | Poor - Known but unverified |
| SCAL 4 | 🟠 Orange | Very Poor - Limited verification |
| SCAL 5 | 🔴 Red | Critical - Unknown origin |
Viewing Attestations
In Explore SBOM
- Open a project from the Projects page
- Navigate to Explore SBOM
- Click the Attestation tab
- View SCAL levels for all components
Attestation Dashboard
The Attestation tab displays:
| Column | Description |
|---|---|
| Component | Package name and version |
| SCAL Level | Attestation level (0-5) |
| Attestation Type | SLSA, Sigstore, In-toto, etc. |
| Signature Status | Verified/Unverified/None |
| Provenance | Build origin information |
Filtering
- By SCAL Level - Show only specific levels
- By Attestation Type - Filter by SLSA, Sigstore, etc.
- Unattested Only - Show SCAL 3-5 components
- Search - Find specific components
Attestation Details
Click on any component to view full attestation details:
Summary
| Field | Description |
|---|---|
| SCAL Level | Current attestation level |
| Attestation Type | Type of attestation found |
| Last Verified | When attestation was checked |
| Verification Status | Pass/Fail/Partial |
Provenance Information
| Field | Description |
|---|---|
| Build Platform | Where component was built |
| Source Repository | Original source code location |
| Build Trigger | What initiated the build |
| Build Timestamp | When it was built |
| Builder Identity | Who/what built it |
Signature Details
| Field | Description |
|---|---|
| Signature Type | PGP, Sigstore, etc. |
| Signer Identity | Who signed the artifact |
| Signature Status | Valid/Invalid/Expired |
| Certificate Chain | Trust chain verification |
Transparency Log
| Field | Description |
|---|---|
| Log Entry | Rekor or similar log entry |
| Entry ID | Unique log identifier |
| Inclusion Proof | Cryptographic proof of inclusion |
Attestation Types
SLSA Provenance
Supply-chain Levels for Software Artifacts:
| SLSA Level | SCAL Mapping | Requirements |
|---|---|---|
| SLSA 4 | SCAL 0 | Two-party review, hermetic builds |
| SLSA 3 | SCAL 0-1 | Hardened build platform |
| SLSA 2 | SCAL 1 | Hosted build, signed provenance |
| SLSA 1 | SCAL 2 | Documented build process |
Sigstore
Keyless signing with:
- OIDC-based identity
- Fulcio certificates
- Rekor transparency log
- Timestamp authority
In-toto
Framework providing:
- Layout definitions
- Step attestations
- Multi-party verification
- Custom policies
Package Signatures
Traditional signatures:
- PGP/GPG signatures
- Package manager signatures
- Publisher certificates
Improving SCAL Levels
For SCAL 5 Components
- Identify alternatives - Find similar packages with attestation
- Contact maintainers - Request they add attestation
- Document risk - If must use, add mitigation
- Consider forking - Build your own attested version
For SCAL 3-4 Components
- Check for updates - Newer versions may have attestation
- Use Gold Directory - Find pre-verified alternatives
- Add to watchlist - Monitor for attestation additions
For Your Own Packages
Add attestation using:
# Using Sigstore cosign
cosign sign --key cosign.key mypackage.tar.gz
# Using SLSA GitHub Action
- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0Attestation Policies
Setting Requirements
Create policies requiring maximum SCAL levels:
- Go to Policies & Gates
- Create new rule
- Set maximum SCAL level
- Choose enforcement (warn/fail)
Policy Examples
| Policy | Requirement |
|---|---|
| Production | All components SCAL 2 or lower |
| Critical Systems | All components SCAL 1 or lower |
| Development | Warn on SCAL 5 |
Verification Process
When Safeguard.sh analyzes a component:
- Fetch Attestations - Download from registries, transparency logs
- Verify Signatures - Check cryptographic validity
- Validate Claims - Ensure claims match component
- Check Revocation - Verify not revoked
- Assign SCAL - Calculate attestation level
API Access
# Get attestation data for a project
curl -X GET https://api.safeguard.sh/v1/projects/{id}/attestations \
-H "Authorization: Bearer $API_KEY"
# Get attestation details for a component
curl -X GET https://api.safeguard.sh/v1/projects/{id}/components/{component}/attestation \
-H "Authorization: Bearer $API_KEY"
# Verify a specific attestation
curl -X POST https://api.safeguard.sh/v1/attestations/verify \
-H "Authorization: Bearer $API_KEY" \
-d '{"attestation": "base64-encoded-attestation"}'Best Practices
Monitoring
- Track SCAL distribution across projects
- Alert on new SCAL 5 components
- Review attestation trends
Selection
- Prefer SCAL 0-1 packages
- Use Gold Directory for verified components
- Document exceptions for high-SCAL packages
Compliance
- Set maximum SCAL requirements
- Include in security gates
- Report on attestation coverage