Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • About Build Security
  • Quick Start
  • Concepts
  • How SALT works
  • Architecture
  • Command-Line
  • Attestation Format
  • How to…​
Export as PDF
  1. Xygeni Products

Build Security

PreviousMalwareNextBuild Security Concepts

Last updated 13 days ago

About Build Security

Xygeni helps you to protect the integrity of your artifacts and build (CI/CD) processes. This is known as Build Security.

The Xygeni platform provides a component for an important part of Build Security: the creation, storage and verification of attestations on the software.

The following sections describe Xygeni SALT (Software Attestations Layer for Trust), the component for generating, registering and verifying software attestations.

Quick Start

Install the SALT command-line tool. The following commands work under Linux/macOS.

  # download zipfile
  curl -sLO https://get.xygeni.io/latest/salt/salt.zip
  # unzip in current directory
  unzip salt.zip -d PATH_TO_DIR
  # add alias
  alias salt="PATH_TO_DIR/xygeni_salt/salt"

where PATH_TO_DIR stands for the directory where the SALT tool will be uncompressed (proceed to for detailed instructions or on a different operating system).

Now you can generate sample attestations for your software product: Go to a product repository directory (cd <YOUR_REPO_DIR>), and run commands for creating an one-shot SLSA attestation (attestation slsa):

cd <YOUR_REPO_DIR>
salt at provenance -p my_pipeline -d . \
     --image my_org/my_image:latest \
     --keyless \
     -o slsa.json --output-unsigned slsa.unsigned.json \
     --no-upload --no-result-upload

The SLSA Provenance attestation is written in slsa.unsigned.json file, and the signed envelope (signed with an ephemeral keypair, certified with an ephemeral certificate) is stored in the slsa.json file.

Now verify the attestation:

salt verify \
     --attestation=provenance.signed.json \
     --public-key=cert2.pem --image=xygeni/xygeni_scanner:latest

Concepts

A software attestation is an assertion made about a piece of software. A software attestation is an authenticated statement (metadata) about a software artifact or collection of software artifacts.

Software attestations are a generalization of raw artifact/code signing. The attestation is a signed document (in a given format, typically based on JSON) that associates metadata with an artifact. They represent evidence linking inputs (materials) and outputs (artifacts produced) at each build step.

Attestations provide a verifiable record of the steps done for building the final software artifacts, including input materials for each step and the build commands run.

How SALT works

SALT (acronym for Software Attestation Layer for Trust) is the feature in the Xygeni platform for build security. SALT is the infrastructure for creating and verifying software attestations, aiming at different use-cases.

Result upload: The results for the attestation generation are uploaded to Xygeni, so any error or integrity failure is reported and could be notified to DevOps engineers and security management teams.

Architecture

The following image depicts the main components of SALT:

Command-Line

Salt provides a command-line interface (Salt CLI) with commands for creating the attestation document from the inputs, interacting with the attestations registry, and verifying an attestation with respect to the referenced software product.

salt CMD, with CMD = attestation | keygen | registry | contract | verify.

The Salt CLI has two levels (command + subcommand), and -h | --help will show the help at the command or subcommand level.

The main commands are:

  • salt keygen: Generate key pairs for signing

  • salt attestation init|add|run|status|commit|reset: Incremental attestation build

  • salt attestation provenance: Provenance for pipeline, in a single shot

  • salt registry search | get | put: Operations with Attestation Registry

  • salt verify: Verify contract / attestation for SW artifact

  • salt contract create | from-build | upload | download: Contract handling

Software attestations are typically created in the same pipeline that builds and/or deploys the software. One or more steps can run Salt CLI commands to either build the attestation either in one shot (salt attestation provenance) or incrementally at different steps along the pipeline (salt attestation init|add|run|commit).

Attestation Format

Attestations in the IAF are serialized as JSON.

How to…​

You may need to work with special features or build attestations and handle key materials in a non-standard way. The following are tips & tricks that you may find helpful:

For more information about what software attestations are, what they are used for, the structure of a software attestation and which standards are in place, please refer to section.

A command-line interface (salt command) is provided for generating attestations in CI/CD pipelines, or for verification of the integrity of the attestations with regard to the software artifacts the attestation refers to. Additional integrations, like plugins, are provided for the most popular CI/CD systems. See for further details.

Xygeni provides an attestation registry based on the combination of the as storage and as a transparency log. The public server for the Xygeni-provided attestation registry is at .

For further information, see .

The Salt model contains most of the in-toto specification types for software attestations, as shown in the .

For further information, see .

See for further details.

SALT follows the . The IAF provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of software can then validate the origins of the software, and establish trust in its supply chain, using in-toto attestations.

See the for details about the general format of signed attestations and their components. For further details on the predicate types, read .

Installing Salt CLI
Concepts in Build Security
command-line reference
in-toto Archivista
sigstore Rekor
https://salt.xygeni.io
SALT Architecture
Salt Command-Line Interface Reference
in-toto Attestation Framework (IAF)
how SALT works
Attestation Format
Store attestations in my registry of choice
Use keyless signatures
Add SBOM and other reports to attestations
Set command autocompletion
Available Predicate Types
Attestations supported