Community

There’s an active community of members, contributors and collaborators behind the SLSA framework. We’re drawn together by the shared goals of improving software supply chain security and codifying best practices for development, deployment and governance, all collaborating on an objective framework that works for open source projects and organizations, influences policy and regulations, empowers engineers and builds for the future.

Get involved

The SLSA project is an open source project that strives to make useful and practical standards, tools, and documentation to reduce software supply chain risk in the real world. To succeed, we rely on contributors from a variety organizations to help us improve. Whether that’s reporting successes or challenges, contributing changes to the specification or documentation, or developing tooling and services, we welcome your contributions.

General contributions

For general questions, suggestions, or status updates, please use one of the following channels.

Contribution guidelines Community meeting (monthly) GitHub issues (tracks all work) Slack (#slsa) Mailing list

Special Interest Groups (SIGs)

To get more deeply involved in SLSA, we welcome your participation in the following special interest groups (SIGs). See linked meeting notes for more info, including meeting times and Slack channel.

Specification SIG Tooling SIG Positioning SIG

“SLSA’s really the first of its kind, a framework for supply chain and build integrity. What sets it apart is the thriving community behind it, and it’s resonating with different organizations.”

Kim Lewandowski

Founder, Chainguard

Project status

SLSA v1.0 is coming soon!

The SLSA v1.0 release candidate specification is out and available for community review. We anticipate a stable release soon.

We’ve released a set of tools and services to generate up to SLSA 3 provenance, and plan to develop further tooling soon.

Google has been using an internal version of SLSA since 2013 and requires it for all of their production workloads.

Media

Operation SLSA: Episode 1

Operation SLSA: Episode 2

SLSA Biweekly Meetings (Playlist)

Getting Started with Supply Chain Security is Easier Than You... Michael Lieberman & Timothy Miller

Spicing up Container Image Security with SLSA & GUAC - Ian Lewis, Google

Steering committee

Bruno Domingues - Intel
David A. Wheeler - Linux Foundation
Joshua Lock - VMware
Kim Lewandowski - Chainguard
Mark Lodato - Google
Mike Lieberman - Kusari/CNCF
Trishank Karthik Kuppusamy - Datadog

Governance

SLSA is a community effort organized within the Open Source Security Foundation (OpenSSF) and released under the Community Specification License 1.0.

For more information about governance, see slsa-framework/governance.