chore: Update discovery artifacts (#1603)

## Deleted keys were detected in the following stable discovery artifacts:
containeranalysis v1 https://github.com/googleapis/google-api-python-client/commit/618985bd0fa3f0380152e8d33e3b30ba465e1f2d
documentai v1 https://github.com/googleapis/google-api-python-client/commit/3ba31828b05604eaa23101d681354b39c75d712d
recaptchaenterprise v1 https://github.com/googleapis/google-api-python-client/commit/ff95700fce7de8bc2a58be64890740140532f865

## Deleted keys were detected in the following pre-stable discovery artifacts:
containeranalysis v1alpha1 https://github.com/googleapis/google-api-python-client/commit/618985bd0fa3f0380152e8d33e3b30ba465e1f2d
containeranalysis v1beta1 https://github.com/googleapis/google-api-python-client/commit/618985bd0fa3f0380152e8d33e3b30ba465e1f2d
documentai v1beta3 https://github.com/googleapis/google-api-python-client/commit/3ba31828b05604eaa23101d681354b39c75d712d

## Discovery Artifact Change Summary:
feat(bigtableadmin): update the api https://github.com/googleapis/google-api-python-client/commit/be7ffcca66cdcb1dfcd9849538772914c90b3ea0
feat(chromemanagement): update the api https://github.com/googleapis/google-api-python-client/commit/59c97996091063cdad497be989d168ec1e71a178
feat(cloudasset): update the api https://github.com/googleapis/google-api-python-client/commit/60f5758b975a9bbac044b9005601c5c026125137
feat(cloudfunctions): update the api https://github.com/googleapis/google-api-python-client/commit/c517033bea4e84d1c118f77df38e2f33b3741ec2
feat(contactcenterinsights): update the api https://github.com/googleapis/google-api-python-client/commit/9ac9faa70c053fd1f5b2de7b6ef5947a04270dba
feat(containeranalysis): update the api https://github.com/googleapis/google-api-python-client/commit/618985bd0fa3f0380152e8d33e3b30ba465e1f2d
feat(datapipelines): update the api https://github.com/googleapis/google-api-python-client/commit/a39bb0f9b41255adf6c790130931f64a153ac0e8
feat(datastore): update the api https://github.com/googleapis/google-api-python-client/commit/5050adbdc30c4247e2454a7e063c7f7ea2724bc0
feat(dialogflow): update the api https://github.com/googleapis/google-api-python-client/commit/fd46c128ec3d0679283e3cddb1c40eb8b5f3728a
feat(documentai): update the api https://github.com/googleapis/google-api-python-client/commit/3ba31828b05604eaa23101d681354b39c75d712d
feat(drive): update the api https://github.com/googleapis/google-api-python-client/commit/b1840b06a09ec22db69d757706aa98d2bf536a49
feat(file): update the api https://github.com/googleapis/google-api-python-client/commit/b13a2490844c5c84c42e26c7e5bafdf700e689df
feat(gkehub): update the api https://github.com/googleapis/google-api-python-client/commit/37cce48342813c865a2704ca06841f1801ebb60c
feat(healthcare): update the api https://github.com/googleapis/google-api-python-client/commit/8d1f955971aae9e0e4b7956906e43382fcf57d20
feat(metastore): update the api https://github.com/googleapis/google-api-python-client/commit/9c90df783a1fac104920100158ddb7c88d461545
feat(monitoring): update the api https://github.com/googleapis/google-api-python-client/commit/bf890b636ae02bb1d84e050df052fa341a29a4c1
feat(mybusinessbusinessinformation): update the api https://github.com/googleapis/google-api-python-client/commit/90e206c145790d0f9a78bbd7acb2667796868db7
feat(paymentsresellersubscription): update the api https://github.com/googleapis/google-api-python-client/commit/c8796544acc40e330276b7777c728782217b1bb4
feat(recaptchaenterprise): update the api https://github.com/googleapis/google-api-python-client/commit/ff95700fce7de8bc2a58be64890740140532f865
feat(recommender): update the api https://github.com/googleapis/google-api-python-client/commit/d85fe38478c2cb56b3694e6890f6d53c367e057d
feat(securitycenter): update the api https://github.com/googleapis/google-api-python-client/commit/35a6d4e716f26c77b3588f28d3097871a29dea7e
feat(speech): update the api https://github.com/googleapis/google-api-python-client/commit/13f1bcb6311e0ea11ad60a29713c1a0a1fe22f42
feat(sqladmin): update the api https://github.com/googleapis/google-api-python-client/commit/770bc14b5f95b525bd04e40378a718a38ac31a0d
feat(tpu): update the api https://github.com/googleapis/google-api-python-client/commit/ea30e3a05539e4de70e385a34490153f32c16789
feat(vmmigration): update the api https://github.com/googleapis/google-api-python-client/commit/80e20909242c4bde06b8adc3afecf1141be34f45
diff --git a/docs/dyn/containeranalysis_v1.projects.occurrences.html b/docs/dyn/containeranalysis_v1.projects.occurrences.html
index cbbfb1f..91389ac 100644
--- a/docs/dyn/containeranalysis_v1.projects.occurrences.html
+++ b/docs/dyn/containeranalysis_v1.projects.occurrences.html
@@ -141,7 +141,7 @@
         ],
       },
       "build": { # Details of a build occurrence. # Describes a verifiable build.
-        "intotoProvenance": { # In-toto Provenance representation as defined in spec.
+        "intotoProvenance": { # Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.
           "builderConfig": { # required
             "id": "A String",
           },
@@ -175,7 +175,88 @@
             "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
           },
         },
-        "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # Required. The actual provenance for the build.
+        "intotoStatement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json". # In-toto Statement representation as defined in spec. The intoto_statement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.
+          "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+          "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
+          "provenance": {
+            "builderConfig": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              "A String",
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": [ # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+                {
+                  "a_key": "", # Properties of the object. Contains field @type with type URL.
+                },
+              ],
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": [ # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+                {
+                  "a_key": "", # Properties of the object. Contains field @type with type URL.
+                },
+              ],
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
+          "slsaProvenance": {
+            "builder": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              {
+                "digest": {
+                  "a_key": "A String",
+                },
+                "uri": "A String",
+              },
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
+          "subject": [
+            {
+              "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+                "a_key": "A String",
+              },
+              "name": "A String",
+            },
+          ],
+        },
+        "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # The actual provenance for the build.
           "buildOptions": { # Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
             "a_key": "A String",
           },
@@ -332,7 +413,7 @@
         "cpe": "A String", # The CPE of the resource being scanned.
         "lastScanTime": "A String", # The last time this resource was scanned.
       },
-      "dsseAttestation": { # Describes an attestation of an artifact using dsse.
+      "dsseAttestation": { # Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence. # Describes an attestation of an artifact using dsse.
         "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # If doing something security critical, make sure to verify the signatures in this metadata.
           "payload": "A String",
           "payloadType": "A String",
@@ -344,7 +425,8 @@
           ],
         },
         "statement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
-          "predicateType": "A String", # "https://in-toto.io/Provenance/v0.1" for InTotoProvenance.
+          "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+          "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
           "provenance": {
             "builderConfig": { # required
               "id": "A String",
@@ -379,15 +461,49 @@
               "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
             },
           },
+          "slsaProvenance": {
+            "builder": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              {
+                "digest": {
+                  "a_key": "A String",
+                },
+                "uri": "A String",
+              },
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
           "subject": [
             {
-              "digest": { # "": ""
+              "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
                 "a_key": "A String",
               },
               "name": "A String",
             },
           ],
-          "type": "A String", # Always "https://in-toto.io/Statement/v0.1".
         },
       },
       "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # https://github.com/secure-systems-lab/dsse
@@ -550,7 +666,7 @@
         ],
       },
       "build": { # Details of a build occurrence. # Describes a verifiable build.
-        "intotoProvenance": { # In-toto Provenance representation as defined in spec.
+        "intotoProvenance": { # Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.
           "builderConfig": { # required
             "id": "A String",
           },
@@ -584,7 +700,88 @@
             "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
           },
         },
-        "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # Required. The actual provenance for the build.
+        "intotoStatement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json". # In-toto Statement representation as defined in spec. The intoto_statement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.
+          "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+          "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
+          "provenance": {
+            "builderConfig": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              "A String",
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": [ # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+                {
+                  "a_key": "", # Properties of the object. Contains field @type with type URL.
+                },
+              ],
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": [ # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+                {
+                  "a_key": "", # Properties of the object. Contains field @type with type URL.
+                },
+              ],
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
+          "slsaProvenance": {
+            "builder": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              {
+                "digest": {
+                  "a_key": "A String",
+                },
+                "uri": "A String",
+              },
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
+          "subject": [
+            {
+              "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+                "a_key": "A String",
+              },
+              "name": "A String",
+            },
+          ],
+        },
+        "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # The actual provenance for the build.
           "buildOptions": { # Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
             "a_key": "A String",
           },
@@ -741,7 +938,7 @@
         "cpe": "A String", # The CPE of the resource being scanned.
         "lastScanTime": "A String", # The last time this resource was scanned.
       },
-      "dsseAttestation": { # Describes an attestation of an artifact using dsse.
+      "dsseAttestation": { # Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence. # Describes an attestation of an artifact using dsse.
         "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # If doing something security critical, make sure to verify the signatures in this metadata.
           "payload": "A String",
           "payloadType": "A String",
@@ -753,7 +950,8 @@
           ],
         },
         "statement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
-          "predicateType": "A String", # "https://in-toto.io/Provenance/v0.1" for InTotoProvenance.
+          "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+          "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
           "provenance": {
             "builderConfig": { # required
               "id": "A String",
@@ -788,15 +986,49 @@
               "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
             },
           },
+          "slsaProvenance": {
+            "builder": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              {
+                "digest": {
+                  "a_key": "A String",
+                },
+                "uri": "A String",
+              },
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
           "subject": [
             {
-              "digest": { # "": ""
+              "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
                 "a_key": "A String",
               },
               "name": "A String",
             },
           ],
-          "type": "A String", # Always "https://in-toto.io/Statement/v0.1".
         },
       },
       "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # https://github.com/secure-systems-lab/dsse
@@ -964,7 +1196,7 @@
     ],
   },
   "build": { # Details of a build occurrence. # Describes a verifiable build.
-    "intotoProvenance": { # In-toto Provenance representation as defined in spec.
+    "intotoProvenance": { # Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.
       "builderConfig": { # required
         "id": "A String",
       },
@@ -998,7 +1230,88 @@
         "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
       },
     },
-    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # Required. The actual provenance for the build.
+    "intotoStatement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json". # In-toto Statement representation as defined in spec. The intoto_statement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
+      "provenance": {
+        "builderConfig": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          "A String",
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": [ # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": [ # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "subject": [
+        {
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+            "a_key": "A String",
+          },
+          "name": "A String",
+        },
+      ],
+    },
+    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # The actual provenance for the build.
       "buildOptions": { # Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
         "a_key": "A String",
       },
@@ -1155,7 +1468,7 @@
     "cpe": "A String", # The CPE of the resource being scanned.
     "lastScanTime": "A String", # The last time this resource was scanned.
   },
-  "dsseAttestation": { # Describes an attestation of an artifact using dsse.
+  "dsseAttestation": { # Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence. # Describes an attestation of an artifact using dsse.
     "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # If doing something security critical, make sure to verify the signatures in this metadata.
       "payload": "A String",
       "payloadType": "A String",
@@ -1167,7 +1480,8 @@
       ],
     },
     "statement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
-      "predicateType": "A String", # "https://in-toto.io/Provenance/v0.1" for InTotoProvenance.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
       "provenance": {
         "builderConfig": { # required
           "id": "A String",
@@ -1202,15 +1516,49 @@
           "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
         },
       },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
       "subject": [
         {
-          "digest": { # "": ""
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
             "a_key": "A String",
           },
           "name": "A String",
         },
       ],
-      "type": "A String", # Always "https://in-toto.io/Statement/v0.1".
     },
   },
   "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # https://github.com/secure-systems-lab/dsse
@@ -1369,7 +1717,7 @@
     ],
   },
   "build": { # Details of a build occurrence. # Describes a verifiable build.
-    "intotoProvenance": { # In-toto Provenance representation as defined in spec.
+    "intotoProvenance": { # Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.
       "builderConfig": { # required
         "id": "A String",
       },
@@ -1403,7 +1751,88 @@
         "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
       },
     },
-    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # Required. The actual provenance for the build.
+    "intotoStatement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json". # In-toto Statement representation as defined in spec. The intoto_statement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
+      "provenance": {
+        "builderConfig": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          "A String",
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": [ # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": [ # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "subject": [
+        {
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+            "a_key": "A String",
+          },
+          "name": "A String",
+        },
+      ],
+    },
+    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # The actual provenance for the build.
       "buildOptions": { # Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
         "a_key": "A String",
       },
@@ -1560,7 +1989,7 @@
     "cpe": "A String", # The CPE of the resource being scanned.
     "lastScanTime": "A String", # The last time this resource was scanned.
   },
-  "dsseAttestation": { # Describes an attestation of an artifact using dsse.
+  "dsseAttestation": { # Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence. # Describes an attestation of an artifact using dsse.
     "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # If doing something security critical, make sure to verify the signatures in this metadata.
       "payload": "A String",
       "payloadType": "A String",
@@ -1572,7 +2001,8 @@
       ],
     },
     "statement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
-      "predicateType": "A String", # "https://in-toto.io/Provenance/v0.1" for InTotoProvenance.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
       "provenance": {
         "builderConfig": { # required
           "id": "A String",
@@ -1607,15 +2037,49 @@
           "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
         },
       },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
       "subject": [
         {
-          "digest": { # "": ""
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
             "a_key": "A String",
           },
           "name": "A String",
         },
       ],
-      "type": "A String", # Always "https://in-toto.io/Statement/v0.1".
     },
   },
   "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # https://github.com/secure-systems-lab/dsse
@@ -1799,7 +2263,7 @@
     ],
   },
   "build": { # Details of a build occurrence. # Describes a verifiable build.
-    "intotoProvenance": { # In-toto Provenance representation as defined in spec.
+    "intotoProvenance": { # Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.
       "builderConfig": { # required
         "id": "A String",
       },
@@ -1833,7 +2297,88 @@
         "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
       },
     },
-    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # Required. The actual provenance for the build.
+    "intotoStatement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json". # In-toto Statement representation as defined in spec. The intoto_statement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
+      "provenance": {
+        "builderConfig": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          "A String",
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": [ # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": [ # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "subject": [
+        {
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+            "a_key": "A String",
+          },
+          "name": "A String",
+        },
+      ],
+    },
+    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # The actual provenance for the build.
       "buildOptions": { # Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
         "a_key": "A String",
       },
@@ -1990,7 +2535,7 @@
     "cpe": "A String", # The CPE of the resource being scanned.
     "lastScanTime": "A String", # The last time this resource was scanned.
   },
-  "dsseAttestation": { # Describes an attestation of an artifact using dsse.
+  "dsseAttestation": { # Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence. # Describes an attestation of an artifact using dsse.
     "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # If doing something security critical, make sure to verify the signatures in this metadata.
       "payload": "A String",
       "payloadType": "A String",
@@ -2002,7 +2547,8 @@
       ],
     },
     "statement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
-      "predicateType": "A String", # "https://in-toto.io/Provenance/v0.1" for InTotoProvenance.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
       "provenance": {
         "builderConfig": { # required
           "id": "A String",
@@ -2037,15 +2583,49 @@
           "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
         },
       },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
       "subject": [
         {
-          "digest": { # "": ""
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
             "a_key": "A String",
           },
           "name": "A String",
         },
       ],
-      "type": "A String", # Always "https://in-toto.io/Statement/v0.1".
     },
   },
   "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # https://github.com/secure-systems-lab/dsse
@@ -2192,7 +2772,7 @@
 
 { # Request message for `GetIamPolicy` method.
   "options": { # Encapsulates settings provided to GetIamPolicy. # OPTIONAL: A `GetPolicyOptions` object for specifying options to `GetIamPolicy`.
-    "requestedPolicyVersion": 42, # Optional. The policy format version to be returned. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional bindings must specify version 3. Policies without any conditional bindings may specify any valid value or leave the field unset. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
+    "requestedPolicyVersion": 42, # Optional. The maximum policy version that will be used to format the policy. Valid values are 0, 1, and 3. Requests specifying an invalid value will be rejected. Requests for policies with any conditional role bindings must specify version 3. Policies with no conditional role bindings may specify any valid value or leave the field unset. The policy in the response might use the policy version that you specified, or it might use a lower policy version. For example, if you specify version 3, but the policy has no conditional role bindings, the response uses version 1. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
   },
 }
 
@@ -2499,7 +3079,7 @@
         ],
       },
       "build": { # Details of a build occurrence. # Describes a verifiable build.
-        "intotoProvenance": { # In-toto Provenance representation as defined in spec.
+        "intotoProvenance": { # Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.
           "builderConfig": { # required
             "id": "A String",
           },
@@ -2533,7 +3113,88 @@
             "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
           },
         },
-        "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # Required. The actual provenance for the build.
+        "intotoStatement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json". # In-toto Statement representation as defined in spec. The intoto_statement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.
+          "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+          "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
+          "provenance": {
+            "builderConfig": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              "A String",
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": [ # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+                {
+                  "a_key": "", # Properties of the object. Contains field @type with type URL.
+                },
+              ],
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": [ # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+                {
+                  "a_key": "", # Properties of the object. Contains field @type with type URL.
+                },
+              ],
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
+          "slsaProvenance": {
+            "builder": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              {
+                "digest": {
+                  "a_key": "A String",
+                },
+                "uri": "A String",
+              },
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
+          "subject": [
+            {
+              "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+                "a_key": "A String",
+              },
+              "name": "A String",
+            },
+          ],
+        },
+        "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # The actual provenance for the build.
           "buildOptions": { # Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
             "a_key": "A String",
           },
@@ -2690,7 +3351,7 @@
         "cpe": "A String", # The CPE of the resource being scanned.
         "lastScanTime": "A String", # The last time this resource was scanned.
       },
-      "dsseAttestation": { # Describes an attestation of an artifact using dsse.
+      "dsseAttestation": { # Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence. # Describes an attestation of an artifact using dsse.
         "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # If doing something security critical, make sure to verify the signatures in this metadata.
           "payload": "A String",
           "payloadType": "A String",
@@ -2702,7 +3363,8 @@
           ],
         },
         "statement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
-          "predicateType": "A String", # "https://in-toto.io/Provenance/v0.1" for InTotoProvenance.
+          "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+          "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
           "provenance": {
             "builderConfig": { # required
               "id": "A String",
@@ -2737,15 +3399,49 @@
               "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
             },
           },
+          "slsaProvenance": {
+            "builder": { # required
+              "id": "A String",
+            },
+            "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+              {
+                "digest": {
+                  "a_key": "A String",
+                },
+                "uri": "A String",
+              },
+            ],
+            "metadata": { # Other properties of the build.
+              "buildFinishedOn": "A String", # The timestamp of when the build completed.
+              "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+              "buildStartedOn": "A String", # The timestamp of when the build started.
+              "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+                "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+                "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+                "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+              },
+              "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+            },
+            "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+              "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+              "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+              "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+                "a_key": "", # Properties of the object. Contains field @type with type URL.
+              },
+              "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+            },
+          },
           "subject": [
             {
-              "digest": { # "": ""
+              "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
                 "a_key": "A String",
               },
               "name": "A String",
             },
           ],
-          "type": "A String", # Always "https://in-toto.io/Statement/v0.1".
         },
       },
       "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # https://github.com/secure-systems-lab/dsse
@@ -2922,7 +3618,7 @@
     ],
   },
   "build": { # Details of a build occurrence. # Describes a verifiable build.
-    "intotoProvenance": { # In-toto Provenance representation as defined in spec.
+    "intotoProvenance": { # Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.
       "builderConfig": { # required
         "id": "A String",
       },
@@ -2956,7 +3652,88 @@
         "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
       },
     },
-    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # Required. The actual provenance for the build.
+    "intotoStatement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json". # In-toto Statement representation as defined in spec. The intoto_statement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
+      "provenance": {
+        "builderConfig": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          "A String",
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": [ # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": [ # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "subject": [
+        {
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+            "a_key": "A String",
+          },
+          "name": "A String",
+        },
+      ],
+    },
+    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # The actual provenance for the build.
       "buildOptions": { # Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
         "a_key": "A String",
       },
@@ -3113,7 +3890,7 @@
     "cpe": "A String", # The CPE of the resource being scanned.
     "lastScanTime": "A String", # The last time this resource was scanned.
   },
-  "dsseAttestation": { # Describes an attestation of an artifact using dsse.
+  "dsseAttestation": { # Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence. # Describes an attestation of an artifact using dsse.
     "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # If doing something security critical, make sure to verify the signatures in this metadata.
       "payload": "A String",
       "payloadType": "A String",
@@ -3125,7 +3902,8 @@
       ],
     },
     "statement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
-      "predicateType": "A String", # "https://in-toto.io/Provenance/v0.1" for InTotoProvenance.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
       "provenance": {
         "builderConfig": { # required
           "id": "A String",
@@ -3160,15 +3938,49 @@
           "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
         },
       },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
       "subject": [
         {
-          "digest": { # "": ""
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
             "a_key": "A String",
           },
           "name": "A String",
         },
       ],
-      "type": "A String", # Always "https://in-toto.io/Statement/v0.1".
     },
   },
   "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # https://github.com/secure-systems-lab/dsse
@@ -3328,7 +4140,7 @@
     ],
   },
   "build": { # Details of a build occurrence. # Describes a verifiable build.
-    "intotoProvenance": { # In-toto Provenance representation as defined in spec.
+    "intotoProvenance": { # Deprecated. See InTotoStatement for the replacement. In-toto Provenance representation as defined in spec.
       "builderConfig": { # required
         "id": "A String",
       },
@@ -3362,7 +4174,88 @@
         "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
       },
     },
-    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # Required. The actual provenance for the build.
+    "intotoStatement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json". # In-toto Statement representation as defined in spec. The intoto_statement can contain any type of provenance. The serialized payload of the statement can be stored and signed in the Occurrence's envelope.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
+      "provenance": {
+        "builderConfig": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          "A String",
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": [ # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Since the arguments field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": [ # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Since the environment field can greatly vary in structure, depending on the builder and recipe type, this is of form "Any".
+            {
+              "a_key": "", # Properties of the object. Contains field @type with type URL.
+            },
+          ],
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
+      "subject": [
+        {
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
+            "a_key": "A String",
+          },
+          "name": "A String",
+        },
+      ],
+    },
+    "provenance": { # Provenance of a build. Contains all information needed to verify the full details about the build from source to completion. # The actual provenance for the build.
       "buildOptions": { # Special options applied to this build. This is a catch-all field where build providers can enter any desired additional details.
         "a_key": "A String",
       },
@@ -3519,7 +4412,7 @@
     "cpe": "A String", # The CPE of the resource being scanned.
     "lastScanTime": "A String", # The last time this resource was scanned.
   },
-  "dsseAttestation": { # Describes an attestation of an artifact using dsse.
+  "dsseAttestation": { # Deprecated. Prefer to use a regular Occurrence, and populate the Envelope at the top level of the Occurrence. # Describes an attestation of an artifact using dsse.
     "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # If doing something security critical, make sure to verify the signatures in this metadata.
       "payload": "A String",
       "payloadType": "A String",
@@ -3531,7 +4424,8 @@
       ],
     },
     "statement": { # Spec defined at https://github.com/in-toto/attestation/tree/main/spec#statement The serialized InTotoStatement will be stored as Envelope.payload. Envelope.payloadType is always "application/vnd.in-toto+json".
-      "predicateType": "A String", # "https://in-toto.io/Provenance/v0.1" for InTotoProvenance.
+      "_type": "A String", # Always "https://in-toto.io/Statement/v0.1".
+      "predicateType": "A String", # "https://slsa.dev/provenance/v0.1" for SlsaProvenance.
       "provenance": {
         "builderConfig": { # required
           "id": "A String",
@@ -3566,15 +4460,49 @@
           "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
         },
       },
+      "slsaProvenance": {
+        "builder": { # required
+          "id": "A String",
+        },
+        "materials": [ # The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered to be incomplete unless metadata.completeness.materials is true. Unset or null is equivalent to empty.
+          {
+            "digest": {
+              "a_key": "A String",
+            },
+            "uri": "A String",
+          },
+        ],
+        "metadata": { # Other properties of the build.
+          "buildFinishedOn": "A String", # The timestamp of when the build completed.
+          "buildInvocationId": "A String", # Identifies the particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis. The value SHOULD be globally unique, per in-toto Provenance spec.
+          "buildStartedOn": "A String", # The timestamp of when the build started.
+          "completeness": { # Indicates that the builder claims certain fields in this message to be complete. # Indicates that the builder claims certain fields in this message to be complete.
+            "arguments": True or False, # If true, the builder claims that recipe.arguments is complete, meaning that all external inputs are properly captured in the recipe.
+            "environment": True or False, # If true, the builder claims that recipe.environment is claimed to be complete.
+            "materials": True or False, # If true, the builder claims that materials are complete, usually through some controls to prevent network access. Sometimes called "hermetic".
+          },
+          "reproducible": True or False, # If true, the builder claims that running the recipe on materials will produce bit-for-bit identical output.
+        },
+        "recipe": { # Steps taken to build the artifact. For a TaskRun, typically each container corresponds to one step in the recipe. # Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible). required
+          "arguments": { # Collection of all external inputs that influenced the build on top of recipe.definedInMaterial and recipe.entryPoint. For example, if the recipe type were "make", then this might be the flags passed to make aside from the target, which is captured in recipe.entryPoint. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "definedInMaterial": "A String", # Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself. Set to -1 if the recipe doesn't come from a material, as zero is default unset value for int64.
+          "entryPoint": "A String", # String identifying the entry point into the build. This is often a path to a configuration file and/or a target label within that file. The syntax and meaning are defined by recipe.type. For example, if the recipe type were "make", then this would reference the directory in which to run make as well as which target to use.
+          "environment": { # Any other builder-controlled inputs necessary for correctly evaluating the recipe. Usually only needed for reproducing the build but not evaluated as part of policy. Depending on the recipe Type, the structure may be different.
+            "a_key": "", # Properties of the object. Contains field @type with type URL.
+          },
+          "type": "A String", # URI indicating what type of recipe was performed. It determines the meaning of recipe.entryPoint, recipe.arguments, recipe.environment, and materials.
+        },
+      },
       "subject": [
         {
-          "digest": { # "": ""
+          "digest": { # "": "" Algorithms can be e.g. sha256, sha512 See https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet
             "a_key": "A String",
           },
           "name": "A String",
         },
       ],
-      "type": "A String", # Always "https://in-toto.io/Statement/v0.1".
     },
   },
   "envelope": { # MUST match https://github.com/secure-systems-lab/dsse/blob/master/envelope.proto. An authenticated message of arbitrary type. # https://github.com/secure-systems-lab/dsse