Skip to content

feat: add SLSA-aware policy engine for supply chain verification #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
avrabe merged 5 commits into from
Jan 11, 2026
Merged

feat: add SLSA-aware policy engine for supply chain verification #29

avrabe merged 5 commits into from
Jan 11, 2026

Conversation

@avrabe
Copy link
Contributor

@avrabe avrabe commented Jan 10, 2026

Summary

Adds a TOML-based policy engine for enforcing SLSA levels and supply chain security requirements on WebAssembly transformation chains.

Policy Engine (src/lib/src/policy/)

  • SLSA level detection (L0-L4) based on attestation properties:
    • L1: Provenance exists (attestation present)
    • L2: Signed provenance (attestation signed)
    • L3: Hardened build (transparency log)
    • L4: Hermetic build (all inputs verified)
  • Per-rule enforcement modes - strict (fail) vs report (warn only)
  • Trusted tools with version constraints and public keys
  • Trusted builders for CI/CD provenance validation
  • Attestation age validation

CLI Changes

  • --policy <FILE> flag for TOML policy files
  • --strict override all rules to strict enforcement
  • --report-only override all rules to report-only mode
  • Pretty-print policy evaluation with SLSA improvement suggestions

Attestation Updates

  • New fields: public_key, certificate_chain, rekor_uuid
  • signing feature with build_and_sign_ed25519()
  • standards feature re-exporting in_toto_attestation

Examples

  • examples/policies/development.toml - permissive for local dev
  • examples/policies/production.toml - strict SLSA L2 policy
  • examples/policies/slsa-l3.toml - keyless with transparency log
  • examples/loom-integration.md - full Loom integration guide

Usage

# Verify against policy
wsc verify-chain -i app.wasm --policy production.toml

# Override to report-only during rollout
wsc verify-chain -i app.wasm --policy production.toml --report-only

Test plan

  • All 511 existing tests pass
  • 40 new policy engine tests
  • End-to-end flow tested with test script
  • CI passes

avrabe and others added 5 commits January 11, 2026 18:00
@avrabe @claude
feat: add SLSA-aware policy engine for supply chain verification
b05b212 
Adds a TOML-based policy engine for enforcing SLSA levels and supply
chain security requirements on WebAssembly transformation chains.

Policy Engine:
- SLSA level detection (L0-L4) based on attestation properties
- Per-rule enforcement modes (strict vs report)
- Trusted tools with version constraints
- Trusted builders for CI/CD provenance
- Attestation age validation

CLI:
- Add --policy flag to verify-chain command
- Add --strict and --report-only overrides
- Pretty-print policy evaluation results with SLSA suggestions

Attestation:
- Add public_key, certificate_chain, rekor_uuid fields
- Add signing feature with build_and_sign_ed25519()
- Add standards feature re-exporting in_toto_attestation

Examples:
- development.toml - permissive for local dev
- production.toml - strict SLSA L2 policy
- slsa-l3.toml - keyless with transparency log
- loom-integration.md - full integration guide

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe
feat: implement trusted publishing for crates.io
a5ffca0
@avrabe
fix: add missing toml dependency to Bazel build
1d7ff57
@avrabe
ci: trigger rebuild to test Bazel fix
54c7e9c
@avrabe
fix: add missing serde_json dependency to CLI Bazel build
47f2361
@avrabe avrabe force-pushed the feat/policy-engine branch from 7334f94 to 47f2361 Compare January 11, 2026 17:00
@avrabe avrabe merged commit 07de195 into main Jan 11, 2026
9 checks passed
@avrabe avrabe deleted the feat/policy-engine branch January 11, 2026 17:16
@avrabe avrabe mentioned this pull request Jan 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avrabe