slsa-verifier ☆

« Back to VersTracker

Description:
Verify provenance from SLSA compliant builders

Type: Formula | Latest Version: 2.7.1@0 | Tracked Since: Dec 27, 2025

Links: Homepage | formulae.brew.sh

Category: Security

Tags: security devsecops supply-chain provenance verification compliance

Install: brew install slsa-verifier

About:
The slsa-verifier is a command-line tool that validates artifacts against the Supply-chain Levels for Software Attestation (SLSA) framework. It checks digital signatures and verifies the authenticity and integrity of software provenance generated by SLSA-compliant build platforms. Its main value is enabling users to trust that software binaries were built securely and have not been tampered with.

Key Features:

Verifies provenance attestations from builders like GitHub Actions and Google Cloud Build
Validates artifact integrity against the signed provenance statement
Supports verification against different SLSA build levels (1-4)
Can be integrated into CI/CD pipelines for automated compliance checks
Provides detailed output on verification success or failure reasons

Use Cases:

Enforcing supply chain security policies in CI/CD pipelines before deployment
Auditing open-source or third-party binaries for build integrity before use
Implementing a secure software procurement process for internal development

Alternatives:

cosign – Cosign is a general-purpose tool for signing and verifying container images and artifacts, while slsa-verifier is specifically designed for the SLSA provenance format and framework.
in-toto – In-toto is a framework to secure software supply chains, providing a more flexible metadata format; slsa-verifier is a concrete implementation focused on verifying SLSA, which builds upon in-toto concepts.

Version History

Detected	Version	Change	Commit
Dec 27, 2025 6:36pm	2.7.1	VERSION_BUMP	57fe1c5a
Sep 15, 2025 10:41am		VERSION_BUMP	914ec6bb
Sep 13, 2024 11:27pm		VERSION_BUMP	f892b465