Skip to main content

View attestations and violations

The SBOM, SLSA Provenance, attestations, and policy enforcement results generated by SSCA are stored in Harness or your container registry. This topic explains where to find this data.

SBOM, SLSA Provenance, and attestations

When an SBOM or SLSA Provenance is generated, along with a signed attestation, in a Harness pipeline run, the signed attestation (which includes the SBOM or SLSA Provenance) is stored, as an .att file, in the artifact repository along with the image.

On the Execution details page in Harness, you can view and download SBOM and SLSA Provenance from the Artifacts tab.

tip

If your pipeline has multiple stages, the Artifacts tab is filtered by stage. Use the dropdown menu to select the relevant stage.

SSCA policy violations

If your pipeline included an SSCA Enforcement step, you can see the number of policy violations in the Violations column on the Artifacts tab.

Select the number to inspect the details of the violations.

tip

If your pipeline has multiple stages, the Artifacts tab is filtered by stage. Use the dropdown menu to select the relevant stage.

SLSA verification results

In the SLSA Verification column on the Artifacts tab, you can see if the verification passed or failed.

tip

If your pipeline has multiple stages, the Artifacts tab is filtered by stage. Use the dropdown menu to select the relevant stage.

To inspect which policies failed, select the Pipeline tab, select the SLSA Verification step, and then select the Policy Enforcement tab.