| Field | Value |
|---|---|
| Rule ID | slsa-build-l2-verify-step |
| Severity | INFO |
| SLSA level | v1.2 Build L2 |
| Auto-fix | ✗ |
What the check does
Fires when a workflow contains either:- A step using
actions/download-artifact, OR - A
run:step that containsdocker pull,docker run,crane pull, orskopeo copy,
gh attestation verify, slsa-verifier verify, cosign verify-attestation, or cosign verify. Also accepts a uses: call into
slsa-framework/slsa-verifier-action.