> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SLSA-BUILD-L2 — Build provenance is not generated

> Workflows that publish release-shaped artifacts must generate a SLSA Build provenance attestation.

| Field      | Value                                                          |
| ---------- | -------------------------------------------------------------- |
| Rule ID    | `slsa-build-l2-provenance`                                     |
| Severity   | **HIGH**                                                       |
| SLSA level | [v1.2 Build L2](https://slsa.dev/spec/v1.2/build-track-basics) |
| Auto-fix   | ✗                                                              |

## What the check does

Flags any workflow that:

1. Publishes a release-shaped artifact — a step using one of
   `softprops/action-gh-release`, `actions/upload-release-asset`,
   `docker/build-push-action`, `actions/upload-pages-artifact`, or a `run:`
   line containing `docker push`, `gh release upload|create`, `npm publish`,
   `cargo publish`, `twine upload`, `gem push`, or `goreleaser release`,
   **AND**
2. Does **not** contain any step from `actions/attest-build-provenance` /
   `actions/attest`, nor a `uses:` call into
   `slsa-framework/slsa-github-generator/...`.

## Why it matters

SLSA Build L2 requires that artifacts ship with **signed provenance** — a
verifiable record of what built them, how, and from which source. Without
provenance, downstream consumers cannot detect tampering.

## Vulnerable example

```yaml theme={null}
jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@<sha>
      - uses: softprops/action-gh-release@<sha>
        with:
          files: dist/*
```

## Safe example

```yaml theme={null}
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      attestations: write
      contents: write
    steps:
      - uses: actions/checkout@<sha>
      - run: ./build.sh
      - uses: actions/attest-build-provenance@<sha>
        with:
          subject-path: dist/*
      - uses: softprops/action-gh-release@<sha>
        with:
          files: dist/*
```

For Build L3, prefer the [`slsa-framework/slsa-github-generator`](https://github.com/slsa-framework/slsa-github-generator)
reusable workflow over an in-job attestation step — see
[provenance-isolated](/rules/slsa-build-l3-provenance-isolated).

## Why no auto-fix

Provenance generation depends on what the workflow actually builds and where
it publishes; injecting a generic attestation step would produce a broken
build more often than a working one.
