Reaching SLSA Level 1
This guide will help you achieve Level 1, and it should take less than a couple of hours for an individual project. The goals is to:
- Automate your builds
- Produce provenance data
The tools listed are optional resources only, there for demonstration and context-specific guidance.
- If you don't already use a build service or CI/CD, we recommend you set one up. This is not strictly required but it makes the following steps easier and is needed for higher levels. Consider using a service that is supported in the next step.
- Generate provenance during your build. The tools below might be useful. If your build service is not listed there, consider creating a plugin to generate provenance.
- Make the provenance available to your consumers. We don't yet have a standard convention for this. Best practises will develop as SLSA becomes more popular and we get more experience.
- You’re Level 1! Add the SLSA Level 1 badge to your project's readme.
- GitHub actions provenance generators (SLSA level 3)
- Azure DevOps provenance generator (SLSA level 1)
- Google Cloud Build (SLSA level 2)
- Sigstore Cosign for storing signed provenance
- OpenSSF - Factory for Repeatable Secure Creation of Artifacts (FRSCA) (Currently SLSA level 2)
Reaching SLSA Level 3
This guide will help you achieve the build and provenance requirements of Level 3, and it should take less than a couple of hours for an individual project. The goals is to achieve the following requirements:
The list of tools is not exhaustive. If there are tools missing from this list, please create a GitHub issue.
- GitHub actions builders and generators (SLSA level 3)
- Update your documentation to let users know you generate provenance and encourage them to verify it when downloading your binaries. Also, consider contributing to the SLSA blog and let others know about your journey, or submit a case study!
- You’re now generating non-forgeable SLSA provenance that meets the build and provenance requirements for SLSA level 3 and above! Add the SLSA Level 3 badge to your project's readme.
Building to higher levels
Once the foundations are in place with Level 1, you can start looking towards the higher levels to further strengthen artifact integrity with central monitoring, authentication and automated compilation, as well as more secure development practices. But there’s a few things to consider first:
Define your ideal state
Which level is most realistic, which is appropriate for your project in the short term and for your immediate needs? It can take years to achieve the ideal security state, so having intermediate milestones is important.
Not all projects require Level 4, and for others it’s impossible to achieve. If it seems unrealistic for your project, focus your efforts on Level 3 instead.
Make progress in parallel
You can progressively attain higher SLSA levels. Each artifact’s SLSA level is independent from one another, allowing parallel progress and prioritization based on risk.