Add more example provenance and VSAs

[TomHennen]

Recently @NicoleSchwartz shared this query and these docs to provide example SLSA provenance and VSAs.

It occurred to me that we don't have those examples linked to from this repo, and that would be pretty handy?

We don't exactly have a great place to do that at the moment (though we do index some build types).

Any thoughts on how to make examples like this more discoverable?

[behnazh-w]

Linking to example SLSA provenances, VSAs, and tools that can process them is crucial and deserves more attention. Here’s a list of the build types we’ve encountered so far in the Macaron project:

Build Types

1. SLSA GitHub Provenance Generator:
   https://github.com/slsa-framework/slsa-github-generator/generic@v1

2. GitHub Artifact Attestation and npm Provenances:

• https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1
• https://github.com/npm/cli/gha/v2

3. Google Cloud Build:
   https://slsa-framework.github.io/gcb-buildtypes/triggered-build/v1

4. Witness Provenances:
   https://witness.testifysec.com/attestation-collection/v0.1

Additional Resources

To further assist users in discovering existing tools that support SLSA, I propose the following:

• Dedicated Repository: Create a repository for information about tools that support SLSA, similar to CycloneDX.

• Related Issue: For more context, see Issue #1118.

[ramonpetgrave64]

@behnazh-w Re: 2, Github's Artifact Attestation is not yet supported in slsa-verifier, and there may be some disagreement or misunderstanding about whether it is SLSA provenance or not.

[behnazh-w]

@behnazh-w Re: 2, Github's Artifact Attestation is not yet supported in slsa-verifier, and there may be some disagreement or misunderstanding about whether it is SLSA provenance or not.

@ramonpetgrave64 I wasn't aware of this potential disagreement. Could you share any discussions or resources on this?

[ramonpetgrave64]

@behnazh-w Here's an active discussion about a separate issue: cli/cli#9602 (comment)