The SLSA project is an open source project that strives to make useful and practical standards, tools, and documentation to reduce software supply chain risk in the real world. To succeed, we rely on contributors from a variety organizations to help us improve. Whether that’s reporting successes or challenges, contributing changes to the specification or documentation, or developing tooling and services, we welcome your contributions.
“SLSA’s really the first of its kind, a framework for supply chain and build integrity. What sets it apart is the thriving community behind it, and it’s resonating with different organizations.”
The initial v0.1 specification is out and is now ready to be tried out and tested.
We’ve released an initial set of tools and services to generate SLSA 1-2 provenance, which we’re looking to develop further soon.
Google has been using an internal version of SLSA since 2013 and requires it for all of their production workloads.