docs: import CloudNativePG main

gbartolini · gbartolini · commit 32fb439ad86a · 2026-03-01T22:27:19.000Z
diff --git a/website/docs/installation_upgrade.md b/website/docs/installation_upgrade.md
@@ -391,6 +391,19 @@ cosign verify-blob \
   --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
 ```
 
+#### Verifying SLSA provenance
+
+To verify a release binary, download both the artifact and the provenance file
+(`multiple.intoto.jsonl`) from the
+[GitHub release](https://github.com/cloudnative-pg/cloudnative-pg/releases),
+then run:
+
+```shell
+slsa-verifier verify-artifact <ARTIFACT> \
+  --provenance-path multiple.intoto.jsonl \
+  --source-uri github.com/cloudnative-pg/cloudnative-pg
+```
+
 ### Verifying the operator container images
 
 Run the following command to verify the signature of the CloudNativePG operator
@@ -420,6 +433,11 @@ docker buildx imagetools inspect ghcr.io/cloudnative-pg/cloudnative-pg:{tag} \
   --format '{{ json (index .Provenance "linux/amd64").SLSA }}'
 ```
 
+:::info
+Refer to ["Verifying SLSA provenance"](security.md#verifying-slsa-provenance)
+for SLSA Build Level 3 compliance verification.
+:::
+
 ### Verifying PostgreSQL operand images
 
 CloudNativePG maintains container images for all supported PostgreSQL versions
diff --git a/website/docs/security.md b/website/docs/security.md
@@ -149,9 +149,11 @@ traceability:
   comprehensive list of software artifacts included in the image or used during
   its build process, formatted using the
   [in-toto SPDX predicate standard](https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md).
-- **[Provenance](https://docs.docker.com/build/metadata/attestations/slsa-provenance/):**
-  Metadata detailing how the image was built, following the [SLSA Provenance](https://slsa.dev)
-  framework.
+- **Provenance:** Metadata detailing the build process, generated via the
+  [SLSA GitHub Generator Github action](https://github.com/slsa-framework/slsa-github-generator).
+  This provides [SLSA Level 3 assurance](https://slsa.dev/spec/v1.0/levels)
+  that the artifact was built on a trusted, isolated GitHub Actions runner
+  directly from the project's source.
 
 You can retrieve the SBOM for a specific image and platform using the following
 command:
@@ -164,13 +166,26 @@ docker buildx imagetools inspect <IMAGE> \
 This command outputs the SBOM in JSON format, providing a detailed view of the
 software components and build dependencies.
 
-For the provenance, use:
+For the build-level provenance, use:
 
 ```shell
 docker buildx imagetools inspect <IMAGE> \
   --format '{{ json (index .Provenance "<PLATFORM>").SLSA }}'
 ```
 
+#### Verifying SLSA provenance
+
+You can verify SLSA Level 3 provenance using
+[`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier).
+
+To verify a container image, pass its digest reference:
+
+```shell
+slsa-verifier verify-image \
+  ghcr.io/cloudnative-pg/cloudnative-pg@sha256:<DIGEST> \
+  --source-uri github.com/cloudnative-pg/cloudnative-pg
+```
+
 ### Guidelines and Frameworks for Container Security
 
 The following guidelines and frameworks have been considered for ensuring
