Can I find the git commit that produced a specific image?

Yes, the skill can provide a direct URL to the repository and commit SHA used to build the specific image reference.

What is Konflux provenance?

It is a SLSA-compliant attestation generated during Konflux builds that records the source repository, commit SHA, and build environment for a container image.

Can I use this for any Docker image?

No, this skill is specifically designed for images built within Konflux that include SLSA attestations signed by Tekton Chains.

What tools does this skill require?

The skill utilizes cosign for downloading attestations and jq for parsing the JSON payload to extract useful metadata.

How does this skill help with debugging pipeline failures?

It automatically extracts the exact pipeline log URL from an image's metadata, allowing you to jump directly to the logs instead of searching through the UI.

Konflux Build Provenance Tracer

Name: Konflux Build Provenance Tracer
Author: konflux-ci

bykonflux-ci

•

보안 및 테스팅

Traces Konflux container images back to their source code, build logs, and SLSA attestations for complete supply chain visibility.

소개

This skill enables Claude to navigate the software supply chain within Konflux by extracting and interpreting SLSA provenance attestations. It provides specialized commands to link container image references directly to their original GitHub/GitLab commits, Tekton pipeline logs, and build parameters, making it indispensable for debugging failed deployments, auditing security compliance, and verifying artifact integrity using tools like cosign and jq.

주요 기능

6 GitHub stars
Extracts SLSA provenance attestations from container images
Generates direct links to Tekton pipeline build logs
Verifies build parameters and execution environments
Maps image tags to specific source repository commits
Automates complex JQ parsing of base64-encoded attestations

사용 사례

Tracing code changes by linking artifacts to git history
Auditing the origin of a production image for security compliance
Debugging missing SBOMs or failed build tasks by accessing logs

소개

주요 기능

6 GitHub stars
Extracts SLSA provenance attestations from container images
Generates direct links to Tekton pipeline build logs
Verifies build parameters and execution environments
Maps image tags to specific source repository commits
Automates complex JQ parsing of base64-encoded attestations

사용 사례

Tracing code changes by linking artifacts to git history
Auditing the origin of a production image for security compliance
Debugging missing SBOMs or failed build tasks by accessing logs