Automic VaultAutomic Vault

brew

Install slsa-verifier with Homebrew, Nix, zypper

Verify provenance from SLSA compliant builders. Version 2.7.1 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install slsa-verifier

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#slsa-verifier

nixpkgs package indexes · pkgs/by-name/sl/slsa-verifier/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install slsa-verifier

openSUSE Tumbleweed package metadata · slsa-verifier · source: download.opensuse.org

overview

Package summary

Verify provenance from SLSA compliant builders

Commands and aliases

  • slsa-verifier

history

Project history and usage

slsa-verifier is the SLSA project's command-line verifier for provenance attached to software artifacts. It is used in CI and release workflows to check that an artifact, image, or package was built by an expected builder from expected source inputs.

Project history

The GitHub repository was created in March 2022 and its first public GitHub release, v0.0.1, was published in May 2022. The README describes the tool as a verifier for SLSA provenance generated by CI/CD builders, including checks of cryptographic signatures and expected builder, source repository, and ref values.

Adoption history

The official README documents installation through Go, release binaries, a GitHub Actions installer, and a community-maintained Homebrew formula. The supplied package metadata also lists Homebrew, Nix, and zypper package names, showing distribution through both developer workstations and reproducible-build/package-manager ecosystems.

How it is used

Common usage is to run `slsa-verifier` in a release or dependency-ingestion path to verify provenance for artifacts, containers, npm packages, Google Cloud Build output, and GitHub build-provenance attestations.

Why package nerds care

Package maintainers care about slsa-verifier because it turns SLSA provenance, in-toto statements, and Sigstore-style attestations into a concrete command that can be wired into package publication and consumption workflows.

Timeline

  • 2022: GitHub repository created.
  • 2022: v0.0.1 published as the first GitHub release.
  • 2025: v2.7.1 documented in the README install examples.

Related projects

  • SLSA generator, Google Cloud Build provenance, GitHub build-provenance attestations, npm provenance, in-toto, and Sigstore are adjacent parts of the same supply-chain verification culture.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
slsa-verifiercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.7.1
manager updated
local dataok
upstreamcurrent
latest detectedv2.7.1

https://github.com/slsa-framework/slsa-verifier

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:slsa-verifier
Version2.7.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/slsa-verifier
Homepagehttps://github.com/slsa-framework/slsa-verifier
Repositoryhttps://github.com/slsa-framework/slsa-verifier
Upstream docshttps://github.com/slsa-framework/slsa-verifier#readme
LicenseApache-2.0
Source archivehttps://github.com/slsa-framework/slsa-verifier/archive/refs/tags/v2.7.1.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameslsa-verifier
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

slsa-verifier

nix profile install nixpkgs#slsa-verifier
  • normalized package name match
  • Matched by: Slsa Verifier
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/sl/slsa-verifier/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
zypper95%

slsa-verifier 2.7.1-1.4

Verify provenance from SLSA compliant builders

https://github.com/slsa-framework/slsa-verifier

sudo zypper install slsa-verifier
  • License: Apache-2.0
  • Category: System/Management
  • Architecture: x86_64
  • Source Package: slsa-verifier
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Slsa Verifier
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: slsa-verifier from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment