Improving artifact integrity across the supply chain
SLSA (”salsa”) is Supply-chain Levels for Software Artifacts.
A security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity.
Each level provides requirements, processes and best practices to increase trust in software. These look at the integrity of the source and build services, available information about the code, reproducibility and resilience against tampering or human error.
Protecting each stage of development
How do you mitigate threats and risks?
Any software can introduce vulnerabilities into a supply chain, with recent high profile cases proving how costly an attack can be. The steps that make up the SLSA framework aim to empower developers and software consumers to easily and automatically check the integrity of software artifacts, developed in direct response to known supply chain attacks.
Standard security guidelines that scale
SLSA levels are a way to better understand your current security posture, protect yourself from potential threats and plan for the future. If you’re a software consumer, you can check that the security information for any software in your supply chain is accurate, whether it provides the exact level of security you need, and help develop, share and promote tools that automate the process.
Building towards the futureToday’s projects, products and services are increasingly complex and open to attack. As that trend continues, we need to scale up our effort to provide more secure, accessible ways to protect the development, distribution and consumption of the software we use, and all the impacted communities behind it.
Currently in alpha
The framework is constantly being improved, and is now ready to be tried out and tested. Google has been using an internal version of SLSA since 2013 and requires it for all of their production workloads.
We rely on feedback from other organizations to improve, and we’d love to hear from you. Are the levels achievable in your project? Would you add or remove anything from the framework?
See a GitHub Actions demo
Check our demonstration for SLSA level 1 with a provenance generator for GitHub Actions.