PHPackages                             k2gl/slsa-provenance - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. k2gl/slsa-provenance

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

k2gl/slsa-provenance
====================

Faithful, typed PHP implementation of the SLSA Provenance v1 and v0.2 predicates, built on k2gl/in-toto-attestation.

1.1.0(1w ago)03↓100%MITPHPPHP &gt;=8.1CI passing

Since May 30Pushed 1w agoCompare

[ Source](https://github.com/k2gl/slsa-provenance)[ Packagist](https://packagist.org/packages/k2gl/slsa-provenance)[ Docs](https://github.com/k2gl/slsa-provenance)[ RSS](/packages/k2gl-slsa-provenance/feed)WikiDiscussions main Synced 1w ago

READMEChangelogDependencies (5)Versions (3)Used By (0)

k2gl/slsa-provenance
====================

[](#k2glslsa-provenance)

[![CI](https://camo.githubusercontent.com/3ea3338141e93da6988549053ed6b733ab78e0505c1abf9e859f3c90509b9109/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6b32676c2f736c73612d70726f76656e616e63652f63692e796d6c3f6272616e63683d6d61696e266c6162656c3d4349266c6f676f3d676974687562)](https://github.com/k2gl/slsa-provenance/actions/workflows/ci.yml)[![Latest Stable Version](https://camo.githubusercontent.com/1038d80d2f470d8baef18f7fa30913bb0934b0a6eba008b1da490b05bb7a85c1/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6b32676c2f736c73612d70726f76656e616e63653f6c6f676f3d7061636b6167697374266c6f676f436f6c6f723d7768697465)](https://packagist.org/packages/k2gl/slsa-provenance)[![Total Downloads](https://camo.githubusercontent.com/b81a270234fd8f22f9160d0b93f629a2734648305d34d0eb5a445de6514290eb/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6b32676c2f736c73612d70726f76656e616e63653f6c6f676f3d7061636b6167697374266c6f676f436f6c6f723d7768697465)](https://packagist.org/packages/k2gl/slsa-provenance)[![PHPStan Level](https://camo.githubusercontent.com/01c58e66f2fafb70c17613ff2b1da3f549aade3a735b076da5cd9e5c04b945a5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d6c6576656c253230392d3261356561373f6c6f676f3d706870266c6f676f436f6c6f723d7768697465)](https://phpstan.org)[![License](https://camo.githubusercontent.com/6a1da544b8ebf7615caf0cd390959a08d23451489630dc8eede0cc9ff877b133/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6b32676c2f736c73612d70726f76656e616e63653f636f6c6f723d79656c6c6f77677265656e)](https://packagist.org/packages/k2gl/slsa-provenance)

A faithful, typed PHP implementation of the [SLSA Provenance v1](https://slsa.dev/spec/v1.0/provenance) predicate (`https://slsa.dev/provenance/v1`) and the legacy [v0.2](https://slsa.dev/provenance/v0.2) predicate still carried by most real-world bundles, built on [`k2gl/in-toto-attestation`](https://github.com/k2gl/in-toto-attestation).

SLSA Provenance describes *how* an artifact was built — the build definition (inputs) and the run details (who built it, when, and what came out). This package models that predicate as typed value objects and plugs it straight into an in-toto Statement, ready to sign with [`k2gl/dsse`](https://github.com/k2gl/dsse).

Install
-------

[](#install)

```
composer require k2gl/slsa-provenance
```

Requires PHP 8.1+. Pulls in `k2gl/in-toto-attestation` and `k2gl/dsse`.

Usage
-----

[](#usage)

```
use K2gl\Slsa\Provenance;
use K2gl\Slsa\BuildDefinition;
use K2gl\Slsa\RunDetails;
use K2gl\Slsa\Builder;
use K2gl\Slsa\BuildMetadata;
use K2gl\InToto\ResourceDescriptor;

$provenance = new Provenance(
    new BuildDefinition(
        buildType: 'https://example.com/buildtypes/v1',
        externalParameters: ['repository' => 'https://github.com/k2gl/dsse', 'ref' => 'refs/tags/1.0.0'],
        resolvedDependencies: [
            new ResourceDescriptor(uri: 'git+https://github.com/k2gl/dsse', digest: ['gitCommit' => '…']),
        ],
    ),
    new RunDetails(
        builder: new Builder(id: 'https://github.com/actions/runner', version: ['runner' => '2.x']),
        metadata: new BuildMetadata(invocationId: 'run-42', startedOn: '2026-05-30T00:00:00Z'),
    ),
);

// Wrap as an in-toto Statement over the built artifacts, then sign with k2gl/dsse:
$statement = $provenance->toStatement([
    new ResourceDescriptor(name: 'app.phar', digest: ['sha256' => '…']),
]);
$envelope = $statement->sign($signer);   // K2gl\Dsse\Envelope
```

Parsing back (after verifying the envelope's signatures):

```
use K2gl\InToto\Statement;
use K2gl\Slsa\Provenance;

$statement  = Statement::fromEnvelope($envelope);
$provenance = Provenance::fromStatement($statement);   // checks predicateType

$provenance->buildDefinition->buildType;          // 'https://example.com/buildtypes/v1'
$provenance->runDetails->builder->id;             // 'https://github.com/actions/runner'
$provenance->runDetails->metadata?->invocationId; // 'run-42'
```

SLSA Provenance v0.2
--------------------

[](#slsa-provenance-v02)

Most provenance found in real Sigstore bundles is the older `v0.2` predicate (`https://slsa.dev/provenance/v0.2`), which has a different shape from v1. It lives under `K2gl\Slsa\V02` with its own typed value objects:

```
use K2gl\InToto\Statement;
use K2gl\Slsa\V02\Provenance;

$statement  = Statement::fromEnvelope($envelope);   // verify signatures first
$provenance = Provenance::fromStatement($statement);

$provenance->builder->id;                              // 'https://github.com/…'
$provenance->buildType;                                // 'https://…/generic@v1'
$provenance->invocation?->configSource?->uri;          // 'git+https://github.com/…'
$provenance->metadata?->completeness?->parameters;     // true
$provenance->materials[0]->digest;                     // ['sha1' => '…']
```

Building one wraps it in an in-toto Statement **v0.1** by default — the version real-world v0.2 provenance is paired with. The two versions are orthogonal, so the Statement version can be overridden:

```
use K2gl\InToto\StatementVersion;
use K2gl\Slsa\V02\Builder;
use K2gl\Slsa\V02\Provenance;

$provenance = new Provenance(
    builder: new Builder(id: 'https://github.com/actions/runner'),
    buildType: 'https://github.com/slsa-framework/slsa-github-generator/generic@v1',
);

$statement = $provenance->toStatement([$subject]);                       // in-toto Statement v0.1
$statement = $provenance->toStatement([$subject], StatementVersion::V1); // …or v1
```

License
-------

[](#license)

MIT — see [LICENSE](LICENSE). Independent, clean-room implementation of the SLSA Provenance specification.

###  Health Score

40

—

FairBetter than 86% of packages

Maintenance98

Actively maintained with recent releases

Popularity4

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity43

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~1 days

Total

2

Last Release

9d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/6bc4aa529c7f13ea593297497f6eae20d5c07f476baa0a551960d7e6ff1e5413?d=identicon)[k2gl](/maintainers/k2gl)

---

Top Contributors

[![k2gl](https://avatars.githubusercontent.com/u/2846079?v=4)](https://github.com/k2gl "k2gl (5 commits)")

---

Tags

buildattestationsupply-chainprovenancedssein-totosigstoreslsa

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/k2gl-slsa-provenance/health.svg)

```
[![Health](https://phpackages.com/badges/k2gl-slsa-provenance/health.svg)](https://phpackages.com/packages/k2gl-slsa-provenance)
```

###  Alternatives

[phing/phing

PHing Is Not GNU make; it's a PHP project build system or build tool based on Apache Ant.

1.2k22.2M900](/packages/phing-phing)[godbout/dash-docset-builder

Dash (LOVE) Docset Builder in PHP (LOVE).

1263.6k](/packages/godbout-dash-docset-builder)[continuousphp/phing-tasks

Phing tasks for continuousphp

1146.9k](/packages/continuousphp-phing-tasks)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)