> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SLSA-BUILD-L2 — Workflow consumes artifacts but does not verify provenance

> Consumers should verify provenance before using downloaded artifacts or pulled images.

| Field      | Value                                                          |
| ---------- | -------------------------------------------------------------- |
| Rule ID    | `slsa-build-l2-verify-step`                                    |
| Severity   | **INFO**                                                       |
| SLSA level | [v1.2 Build L2](https://slsa.dev/spec/v1.2/build-track-basics) |
| Auto-fix   | ✗                                                              |

## What the check does

Fires when a workflow contains either:

* A step using `actions/download-artifact`, **OR**
* A `run:` step that contains `docker pull`, `docker run`, `crane pull`, or
  `skopeo copy`,

…and the workflow contains **no** verification step matching `gh attestation
verify`, `slsa-verifier verify`, `cosign verify-attestation`, or `cosign
verify`. Also accepts a `uses:` call into
`slsa-framework/slsa-verifier-action`.

## Why it's INFO

Producing signed provenance (L2) only delivers value if **consumers verify
it**. This is a strong recommendation but not strictly a security defect — a
workflow may be a producer that doesn't consume external artifacts, or may
verify out-of-band. INFO keeps the rule out of failure thresholds by default.

## Vulnerable example

```yaml theme={null}
jobs:
  use:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@<sha>
        with: { name: built-binary }
      - run: ./built-binary --do-the-thing
```

## Safe example

```yaml theme={null}
jobs:
  use:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@<sha>
        with: { name: built-binary }
      - run: gh attestation verify built-binary --owner my-org
      - run: ./built-binary --do-the-thing
```
