Secure Your GitHub Actions with StepSecurity

actions/attest-build-provenance

Action for generating build provenance attestations for workflow artifacts

GitHub Repository

804 stars

Composite

Score updated 3 days ago

Composite Action Details

Pinnable

Yes

GitHub Actions security score

	actions/attest-build-provenance
Score	9/10
License	MIT License
Maintained	16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Vulnerabilities	0 existing vulnerabilities detected
Branch protection	branch protection is not maximal on development and all release branches
Manual code review	-
Secure publishing	-
Signed commits	-
Automated security tools	-
Popular	Used by 2608 open-source projects
Security Policy	security policy file detected

Networking Behavior of actions/attest-build-provenance

This GitHub Action often makes outbound network calls to these destinations, as gathered from public workflows using the Harden-Runner GitHub Action. Harden-Runner offers network egress filtering and runtime security for both GitHub-hosted and self-hosted runners.

Popular DestinationUnknown Destination

Network Destination	Owner
fulcio.sigstore.dev	Sigstore
rekor.sigstore.dev	Sigstore
api.github.com	GitHub
index.docker.io	DockerHub
quay.io	Unknown
ghcr.io	GitHub
production.cloudflare.docker.com	DockerHub
auth.docker.io	DockerHub
registry-1.docker.io	DockerHub
github.com	GitHub
fulcio.githubapp.com	Unknown
timestamp.githubapp.com	Unknown
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com	DockerHub
244531986313.dkr.ecr.eu-central-1.amazonaws.com	Unknown
winatp-gw-cus.microsoft.com	Microsoft
us-docker.pkg.dev	Unknown