diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml
index 736a56b931b..0a2becb5cdb 100644
--- a/.github/workflows/provenance.yaml
+++ b/.github/workflows/provenance.yaml
@@ -28,6 +28,7 @@ jobs:
           - buildconfigs/key_xor_test_app.toml
           - buildconfigs/oak_containers_kernel.toml
           - buildconfigs/oak_containers_stage1.toml
+          - buildconfigs/oak_containers_system_image.toml
           - buildconfigs/oak_echo_enclave_app.toml
           - buildconfigs/oak_echo_raw_enclave_app.toml
           - buildconfigs/oak_functions_enclave_app.toml
diff --git a/buildconfigs/oak_containers_system_image.toml b/buildconfigs/oak_containers_system_image.toml
new file mode 100644
index 00000000000..3f2200cfbb4
--- /dev/null
+++ b/buildconfigs/oak_containers_system_image.toml
@@ -0,0 +1,12 @@
+# This is the static build configuration that we use with the docker-based SLSA3 generator for
+# building the `stage1` binary, and its provenance.
+# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
+command = [
+  "nix",
+  "develop",
+  ".#containers",
+  "--command",
+  "just",
+  "oak_containers_system_image",
+]
+artifact_path = "./oak_containers_system_image/target/image.tar.xz"