SLSA provenance for Go, Node.js, and Python: binary builds, package publishing, container images, and dependency verification with cryptographic integrity proofs.
Generates SLSA provenance for Go, Node.js, and Python builds. Use when building binaries, packages, or container images to create cryptographic integrity proofs and attestations.
/plugin marketplace add adaptive-enforcement-lab/claude-skills/plugin install enforce@ael-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
examples.mdreference.mdscripts/example-1.yamlscripts/example-2.yamlLanguage-specific toolchains have unique SLSA integration points:
Each toolchain guide covers:
See the full implementation guide in the source documentation.
All toolchains support generating provenance for multiple artifacts in a single build:
jobs:
build:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Build artifacts
run: |
# Toolchain-specific build commands
- name: Generate hashes
id: hash
run: |
sha256sum artifacts/* | base64 -w0 > hashes.txt
echo "hashes=$(cat hashes.txt)" >> "$GITHUB_OUTPUT"
provenance:
needs: [build]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
This pattern works for:
All toolchains support container image attestation:
jobs:
build-image:
outputs:
digest: ${{ steps.build.outputs.digest }}
steps:
- name: Build container image
id: build
run: |
# Toolchain-specific container build
podman build -t myapp:latest .
DIGEST=$(podman inspect myapp:latest --format='{{.Id}}')
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
provenance:
needs: [build-image]
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
with:
image: ghcr.io/org/myapp
digest: "${{ needs.build-image.outputs.digest }}"
See toolchain-specific guides for:
All toolchains support dependency verification:
=== "Go"
```yaml
- name: Verify Go modules
run: |
go mod verify
go mod download -json | jq -r '.Error' | grep -q '^null$'
```
=== "Node.js"
```yaml
- name: Verify npm dependencies
run: |
npm ci --audit
npm audit signatures
```
=== "Python"
```yaml
- name: Verify Python dependencies
run: |
pip install --require-hashes -r requirements.txt
pip check
```
See reference.md for additional techniques and detailed examples.
See examples.md for code examples.
See reference.md for complete documentation.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.