SLSA uses provenance to indicate whether an artifact is authentic or not, but provenance doesn’t do anything unless somebody inspects it. SLSA calls that inspection verification, and this page describes how to verify artifacts and their SLSA provenenance. The intended audience is platform implementers, security engineers, and software consumers.| SLSA
This is a request for examples (RFE) for an end-to-end implementation of the Supply-chain Levels for Software Artifacts (SLSA) framework. The goal is to create a comprehensive demonstration of how SLSA can be used to secure the software supply chain, from source code to end-user consumption. These implementations will serve as a reference for the community, showcasing best practices and providing a clear adoption path for organizations looking to improve their software supply chain security.| SLSA
Today we’re releasing SLSA Version 1.1 as the latest Approved Specification of SLSA, effectively replacing Version 1.0.| SLSA
Today we’re releasing the SLSA Version 1.1 RC2 for public review. We are seeking comments on these spec changes by April 18, 2025. This release brings several changes aimed at enhancing the clarity and usability of the original specification. It also introduces backwards-compatible clarifications to the SLSA threat model, attestation model and verification procedure. This includes the addition of verifier metadata to the Verification Summary Attestation (VSA) format. Please, refer to the Wh...| SLSA
Dependency confusion and typosquatting attacks are very similar in their nature. They both exploit the weakness in the way many package managers identify packages using only their names. Successfully exploiting this weakness enables the attacker to run arbitrary code at install time or at application’s run time. These attacks are scalable, portable, and extremely cost-effective to carry out—making them very appealing to malicious actors.| SLSA
Tekton Chains, and the IBM DevSecOps offering that builds on it, can now be used to secure software artifacts with SLSA.| SLSA
It has been an exciting quarter for supply chain security and SLSA, with the release of the SLSA v1.0 specification, SLSA provenance support for npm, and the announcement of new SLSA Level 3 builders for Node.js and containers!| SLSA
Following the recent launch of SLSA v1.0, we’re announcing a new, GitHub Actions workflow that achieves SLSA Build Track Level 3 for provenance generation. This lets users generate unforgeable provenance, allowing consumers to trust and verify how their software artifacts were built. The container-based SLSA 3 builder is the result of a collaboration between the Google Open Source Security Team (GOSST), the SLSA community, and Project Oak.| SLSA
It has been a big month for supply chain security! GitHub recently announced the public beta for npm package provenance. This adds new functionality to npmjs.com and the npm CLI that allows package maintainers to generate and upload SLSA Build Level 2 provenance along with their packages. Integration with Sigstore enables verification of signature and certificate metadata so users know that the package came from the expected source repository.| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
SLSA protects against tampering during the software supply chain, but how? The answer depends on the use case in which SLSA is applied. Here are descriptions of the three main use cases for SLSA.| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
This page covers the detailed technical requirements for producing artifacts at each SLSA level. The intended audience is platform implementers and security engineers.| SLSA
With supply chain attacks on the rise, a shared vocabulary and universal framework is needed to provide incremental guidance to harden supply chains for more secure software production. This page introduces the main concepts behind SLSA and explains how it can help anyone involved in producing, consuming, or providing infrastructure for software.| SLSA
Today we’re releasing for public review SLSA Version 1.2 RC1, a Release Candidate of SLSA v1.2. We are seeking comments on this specification by July 18th, 2025.| SLSA
Guidelines for assessing build platform security.| SLSA
Answers to questions frequently asked about SLSA.| SLSA
Last week the three of us met to try to make more progress on the source track. Async collaboration can work well for some things, but on “squishier” topics a higher-bandwidth engagement can be really helpful. All our work was against the draft version of the spec and before anything becomes official it will go through the approval process. We’d love your feedback on what we accomplished and discussed (summarized below), so please let us know what you think!| SLSA
There’s an active community of members, contributors and collaborators behind the SLSA framework. We’re drawn together by the shared goals of improving software supply chain security and codifying best practices for development, deployment and governance, all collaborating on an objective framework that works for open source projects and organizations, influences policy and regulations, empowers engineers and builds for the future. Learn about and get involved in the SLSA community.| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
SLSA: Security framework to ensure software supply chain integrity| SLSA
Before diving into the SLSA specification levels, we need to establish a core set of terminology and models to describe what we’re protecting.| SLSA
An introduction to the guiding principles behind SLSA’s design decisions.| SLSA
The initial draft version (v0.1) of SLSA had a larger scope including protections against tampering with source code and a higher level of build integrity (Build L4). This page collects some early thoughts on how SLSA might evolve in future versions to re-introduce these notions and add other additional aspects of automatable supply chain security.| SLSA
Description of SLSA provenance specification for verifying where, when, and how something was produced.| SLSA
Questions and more information.| SLSA
Overview of the SLSA standards and technical controls to improve artifact integrity.| SLSA
Attacks can occur at every link in a typical software supply chain, and these kinds of attacks are increasingly public, disruptive, and costly in today’s environment. This page is an introduction to possible attacks throughout the supply chain and how SLSA could help.| SLSA
A software attestation is an authenticated statement (metadata) about a software artifact or collection of software artifacts. The primary intended use case is to feed into automated policy engines, such as in-toto and Binary Authorization. This page provides a high-level overview of the attestation model, including standardized terminology, data model, layers, and conventions for software attestations.| SLSA
Description of SLSA provenance specification for verifying where, when, and how something was produced.| SLSA
A comprehensive technical analysis of supply chain threats and their corresponding mitigations in SLSA.| SLSA
SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees. This is version 1.0 of the SLSA specification, which defines the SLSA levels.| SLSA
SLSA is organized into a series of levels that provide increasing supply chain security guarantees. This gives you confidence that software hasn’t been tampered with and can be securely traced back to its source. This page is a descriptive overview of the SLSA levels and tracks, describing their intent.| SLSA
Ladder of increasing security guarantees.| SLSA
Technical requirements to reach each level.| SLSA
Specific supply chain attacks and how SLSA helps.| SLSA
Interested in getting involved? Now’s the chance to provide your feedback on the foundational v1 release of the SLSA framework.| SLSA
Today, we are excited to announce the important milestone of a release candidate (RC) SLSA Specification. This is the first major update to SLSA since its v0.1 release in June 2021, and the RC finalizes multiple revisions to the SLSA specifications and requirements. We’re grateful for the huge community engagement that went into shaping this work.| SLSA