From b93cf114252ba04282d8a238cec99513350f7979 Mon Sep 17 00:00:00 2001
From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com>
Date: Mon, 4 Dec 2023 23:11:24 +0000
Subject: [PATCH] Update SLSA section of blogpost

---
 blog/docs/events/security-audit-2023.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/blog/docs/events/security-audit-2023.md b/blog/docs/events/security-audit-2023.md
index fb214288897..11b7d1b9227 100644
--- a/blog/docs/events/security-audit-2023.md
+++ b/blog/docs/events/security-audit-2023.md
@@ -16,7 +16,7 @@ Ada Logics found 16 security issues of which all except for one have been fixed
 
 One CVE was assigned during the audit for a vulnerability that could allow an attacker with already escalated privileges to cause further damage in the cluster. The attacker needs to first establish a position in a Knative pod, and from there, they could exploit the vulnerability and cause denial of service of the Knative autoscaling, thereby denying any autoscaling of Knative. The issue was assigned CVE-2023-48713 of Moderate severity and has been fixed in v1.10.5, v1.12.0 and v1.11.3.
 
-The auditors found that Knative does not include provenance with releases; Provenance is a critical component of complying with [SLSA](https://slsa.dev/)  and ensuring tamper resistance of release artifacts. Recently, the SLSA community released v1.9.0 of the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) which produces SLSA L3 compliant provenance. slsa-github-generator ensures tamper-resistance of artifacts by producing verifiable provenance, thereby mitigating a series of known supply-chain risks, many of which have been exploited in the wild in recent years. Ada Logics recommend that Knative switches its build to the slsa-github-generator to comply with SLSA L3.
+Prior to the audit, Knative had invested in building its own [provenance generator](https://github.com/knative/toolbox/tree/main/provenance-generator) which generates slsa-compliant provenance and adds it to releases. Users can verify the provenance using [the official SLSA guidelines](https://slsa.dev/spec/v1.0/verifying-artifacts) before consuming. The Knative maintainers found that Knative Serving was missing a few lines of Prow configuration which resulted in Knative Serving releases not having provenance. This was fixed [here](https://github.com/knative/infra/pull/288) which ensures that future releases of Knative Serving will include verifiable provenance.
 
 Knative would like to thank Ada Logics for conducting the security audit, OSTIF for facilitating it and the CNCF for funding the audit.