SLSA / in-toto provenance audit Local supply-chain auditor for npm + PyPI build attestations.
Mini-Shai-Hulud beat SLSA L3 by compromising the GitHub-Actions runner that produced the attestation. The signature was real; the supply chain wasn't. digger's SLSA auditor walks every locally- installed npm and PyPI package, parses any attestation files shipped next to the install, and emits findings for missing, tampered, untrusted-builder, or source-mismatched provenance.
Strictly local
digger does not fetch the published package, talk
to the registry, or download attestations. The operator fetches the
attestation bundle once (curl,
gh attestation download) and drops it next to the install
for offline verification.
Attestation shapes parsed
- Bare in-toto statement (predicateType + subject + predicate)
- DSSE envelope (base64-encoded payload)
- Sigstore bundle (
{ "dsseEnvelope": {...} }wrapper) - npm registry attestations-API response
(
{ "attestations": [{ "bundle": {...} }, ...] }) - SLSA v1, v0.2, and v0.1 predicate shapes (builder.id, source URI, subject sha256)
Where digger looks for attestations
- npm:
node_modules/<pkg>/.npm-attestation.json,npm-attestation.json,.sigstore-bundle.json,sigstore-bundle.json - PyPI:
site-packages/<pkg>-<ver>.dist-info/PROVENANCE.json,provenance.json,attestations.json
Detection layers (S1–S5)
| ID | Severity | What it catches | MITRE |
|---|---|---|---|
| S1 | info | No attestation shipped locally. Bulk of npm + PyPI still lacks provenance — for high-value deps, fetch from registry and drop next to install. | T1195.002 |
| S2 | high | Attestation present but unparseable. Tampering, toolchain bug, or schema drift — manual review. | T1195.002 |
| S3 | medium | Builder ID not on trusted-builder allowlist (github.com/actions/runner, slsa-github-generator, gh-action-pypi-publish, Cloud Build, GitLab Runner). Self-hosted may be legitimate — verify. Extend via DIGGER_SLSA_TRUSTED_BUILDERS env var. | T1195.002 |
| S4 | high | Manifest repository.url doesn't match the attestation's source URI. Typo-squat / maintainer-hijack fingerprint. | T1195.002 |
| S5 | medium | Predicate type is not a SLSA provenance predicate (SBOM, VEX, etc.). Useful but doesn't tell you who built the artifact. | T1195.002 |
CLI
$ digger slsa audit --case-dir /tmp/case [--roots dir1,dir2] [--verbose]
[slsa] packages audited: 412
[slsa] with attestation: 23
[slsa] parse errors: 0
[slsa] untrusted builder: 2
[slsa] artifacts emitted: 412
Auto-discovery covers ~/node_modules, the system
site-packages, the user-site directory, and macOS-frameworks
site-packages. Supply explicit --roots to scope.