Improving artifact integrity across the supply chain

SLSA (”salsa”) is Supply-chain Levels for Software Artifacts.

A security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity.

Overview

Security levels

Each level provides requirements, processes and best practices to increase trust in software. These look at the integrity of the source and build services, available information about the code, reproducibility and resilience against tampering or human error.

Level 1

Basic protection

Provenance checks to help evaluate risks and security

Level 2

Medium protection

Further checks against the origin of the software

Level 3

Advanced protection

Extra resistance to specific classes of threats

Level 4

Maximum protection

Strict auditability and reliability checks

The supply chain

Protecting each stage of development

How do you mitigate threats and risks?

Any software can introduce vulnerabilities into a supply chain, with recent high profile cases proving how costly an attack can be. The steps that make up the SLSA framework aim to empower developers and software consumers to easily and automatically check the integrity of software artifacts, developed in direct response to known supply chain attacks.

Supply Chain Threats

Where threats and risks occur in a supply chain

Standard security guidelines that scale

SLSA levels are a way to better understand your current security posture, protect yourself from potential threats and plan for the future. If you’re a software consumer, you can check that the security information for any software in your supply chain is accurate, whether it provides the exact level of security you need, and help develop, share and promote tools that automate the process.

Ethos

Building towards the future

Today’s projects, products and services are increasingly complex and open to attack. As that trend continues, we need to scale up our effort to provide more secure, accessible ways to protect the development, distribution and consumption of the software we use, and all the impacted communities behind it.

Currently in alpha

The framework is constantly being improved, and is now ready to be tried out and tested. Google has been using an internal version of SLSA since 2013 and requires it for all of their production workloads.

Get involved

We rely on feedback from other organizations to improve, and we’d love to hear from you. Are the levels achievable in your project? Would you add or remove anything from the framework?

Get started

See a GitHub Actions demo

Check our demonstration for SLSA level 1 with a provenance generator for GitHub Actions.