Provenance viewer
Render an in-toto statement — bare JSON or inside a DSSE envelope — with its SLSA provenance decoded: who built the artifact, from what, and how.
Requests are processed in memory on our server by the open-source PHP packages this site documents — nothing is stored, and request bodies are never logged.
Result
Statement, predicate, envelope
An in-toto statement binds subjects (artifacts, by digest) to a typed predicate — for build provenance that's SLSA, which records the builder, the build type, external parameters and resolved dependencies. Signed, the statement travels inside a DSSE envelope; that's exactly what GitHub artifact attestations carry. For a full Sigstore bundle (certificate + transparency log), use the bundle inspector instead.
Do it in PHP
use K2gl\Dsse\Envelope;
use K2gl\InToto\Statement;
use K2gl\Slsa\Provenance;
$statement = Statement::fromEnvelope(Envelope::fromJson($envelopeJson));
$provenance = Provenance::fromStatement($statement); // SLSA v1, typed
echo $provenance->runDetails->builder->id; Powered by k2gl/in-toto-attestation and k2gl/slsa-provenance, with k2gl/dsse for the envelope.