slsa-verifier "FAILED: could not find provenance" in CI
slsa-verifier checks an artifact against SLSA provenance produced by a trusted builder. "could not find provenance" means no provenance attestation matches the artifact digest, the source repository, or the expected builder.
What this error means
slsa-verifier exits with "FAILED: could not find a matching provenance" or "no attestation found", so the artifact cannot be verified against its build.
slsa-verifier verify-artifact app-linux-amd64 \
--provenance-path app.intoto.jsonl --source-uri github.com/acme/app
FAILED: could not find a matching provenance for the given artifactCommon causes
The provenance file does not correspond to the artifact
The provenance references a different digest than the artifact you pass, so no subject matches.
The source-uri or builder-id does not match
A wrong --source-uri or an unexpected builder means the verifier rejects the provenance as not matching your expectations.
How to fix it
Point at the right provenance and source
- Pass the provenance emitted by the same release that built the artifact.
- Set
--source-urito the exact repository that produced it. - Match the artifact file byte for byte to the one covered by provenance.
slsa-verifier verify-artifact app-linux-amd64 \
--provenance-path app.intoto.jsonl \
--source-uri github.com/acme/app \
--source-tag v1.2.3Confirm the builder that produced the provenance
For a container, use verify-image and set the expected builder so the verifier looks for provenance from that generator.
slsa-verifier verify-image ghcr.io/acme/app@sha256:... \
--source-uri github.com/acme/app \
--builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v2.0.0How to prevent it
- Verify the exact artifact the provenance was generated for.
- Set
--source-uri(and tag) to the producing repository. - Track which builder-id your provenance uses and pass it on verify.