Reaching SLSA Level 1
This guide will help you achieve Level 1, and it should take less than a couple of hours for an individual project. The goals is to:
- Automate your builds
- Produce provenance data
The tools listed are optional resources only, there for demonstration and context-specific guidance.
- If you don't already use a build service or CI/CD, we recommend you set one up. This is not strictly required but it makes the following steps easier and is needed for higher levels. Consider using a service that is supported in the next step.
- Generate provenance during your build. The tools below might be useful. If your build service is not listed there, consider creating a plugin to generate provenance.
- Make the provenance available to your consumers. We don't yet have a standard convention for this. Best practises will develop as SLSA becomes more popular and we get more experience.
- You’re Level 1! Add the SLSA Level 1 badge to your project's readme.
Building to higher levels
Once the foundations are in place with Level 1, you can start looking towards the higher levels to further strengthen artifact integrity with central monitoring, authentication and automated compilation, as well as more secure development practices. But there’s a few things to consider first:
Define your ideal state
Which level is most realistic, which is appropriate for your project in the short term and for your immediate needs? It can take years to achieve the ideal security state, so having intermediate milestones is important.
Not all projects require Level 4, and for others it’s impossible to achieve. If it seems unrealistic for your project, focus your efforts on Level 3 instead.
Make progress in parallel
You can progressively attain higher SLSA levels. Each artifact’s SLSA level is independent from one another, allowing parallel progress and prioritization based on risk.