SLSA Framework
Governance & ComplianceDefinition
Supply-chain Levels for Software Artifacts — a Google-originated, NIST-aligned security framework defining levels of build integrity, provenance verification, and supply chain attack resistance for software artifacts.
Technical Details
SLSA defines four levels of increasing rigor. Level 1 requires documented build processes; Level 2 requires hosted build services with signed provenance; Level 3 requires hardened, auditable build environments; Level 4 (proposed) requires two-person review and hermetic builds. SLSA provenance attestations, compatible with in-toto and OIDC-based signing (Sigstore), provide a machine-verifiable chain of custody from source to artifact.
Practical Usage
Organizations adopting SLSA start by generating SLSA Level 1 provenance metadata for their build pipelines, progressing toward higher levels as maturity increases. Consumers of open source software can check SLSA attestations to verify that packages were built from a claimed source without tampering.
Examples
- Google publishes SLSA-compliant provenance for its open source releases, allowing downstream users to verify build integrity.
- An enterprise requires all third-party vendors to provide SLSA Level 2 attestations as a procurement requirement.
- A CI/CD platform automatically generates SLSA provenance metadata using GitHub Actions OIDC tokens and Sigstore signing.