macOS
brew install slsa-verifierlocal Homebrew formula metadata
brew
Verify provenance from SLSA compliant builders. Version 2.7.1 via Homebrew; verified from local package data.
install
brew install slsa-verifierlocal Homebrew formula metadata
nix profile install nixpkgs#slsa-verifiernixpkgs package indexes · pkgs/by-name/sl/slsa-verifier/package.nix · source: api.github.com
sudo zypper install slsa-verifieropenSUSE Tumbleweed package metadata · slsa-verifier · source: download.opensuse.org
overview
Verify provenance from SLSA compliant builders
history
slsa-verifier is the SLSA project's command-line verifier for provenance attached to software artifacts. It is used in CI and release workflows to check that an artifact, image, or package was built by an expected builder from expected source inputs.
The GitHub repository was created in March 2022 and its first public GitHub release, v0.0.1, was published in May 2022. The README describes the tool as a verifier for SLSA provenance generated by CI/CD builders, including checks of cryptographic signatures and expected builder, source repository, and ref values.
The official README documents installation through Go, release binaries, a GitHub Actions installer, and a community-maintained Homebrew formula. The supplied package metadata also lists Homebrew, Nix, and zypper package names, showing distribution through both developer workstations and reproducible-build/package-manager ecosystems.
Common usage is to run `slsa-verifier` in a release or dependency-ingestion path to verify provenance for artifacts, containers, npm packages, Google Cloud Build output, and GitHub build-provenance attestations.
Package maintainers care about slsa-verifier because it turns SLSA provenance, in-toto statements, and Sigstore-style attestations into a concrete command that can be wired into package publication and consumption workflows.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
slsa-verifier | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/slsa-framework/slsa-verifier
install metadata
| Package key | brew:slsa-verifier |
|---|---|
| Version | 2.7.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/slsa-verifier |
| Homepage | https://github.com/slsa-framework/slsa-verifier |
| Repository | https://github.com/slsa-framework/slsa-verifier |
| Upstream docs | https://github.com/slsa-framework/slsa-verifier#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/slsa-framework/slsa-verifier/archive/refs/tags/v2.7.1.tar.gz |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | slsa-verifier |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
slsa-verifier
nix profile install nixpkgs#slsa-verifierslsa-verifier 2.7.1-1.4
Verify provenance from SLSA compliant builders
https://github.com/slsa-framework/slsa-verifier
sudo zypper install slsa-verifiersource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.