Reaching SLSA Level 1

Effort: Low


This guide will help you achieve Level 1, and it should take less than a couple of hours for an individual project. The goals is to:

  • Automate your builds
  • Produce provenance data

The tools listed are optional resources only, there for demonstration and context-specific guidance.


  • If you don't already use a build service or CI/CD, we recommend you set one up. This is not strictly required but it makes the following steps easier and is needed for higher levels. Consider using a service that is supported in the next step.
  • Generate provenance during your build. The tools below might be useful. If your build service is not listed there, consider creating a plugin to generate provenance.
  • Make the provenance available to your consumers. We don't yet have a standard convention for this. Best practises will develop as SLSA becomes more popular and we get more experience.
  • You’re Level 1! Add the SLSA Level 1 badge to your project's readme.


Reaching SLSA Level 3

Effort: Low


This guide will help you achieve the build and provenance requirements of Level 3, and it should take less than a couple of hours for an individual project. The goals is to achieve the following requirements:

The list of tools is not exhaustive. If there are tools missing from this list, please create a GitHub issue.



Building to higher levels

Once the foundations are in place with Level 1, you can start looking towards the higher levels to further strengthen artifact integrity with central monitoring, authentication and automated compilation, as well as more secure development practices. But there’s a few things to consider first:

Define your ideal state

Which level is most realistic, which is appropriate for your project in the short term and for your immediate needs? It can take years to achieve the ideal security state, so having intermediate milestones is important.

Not all projects require Level 4, and for others it’s impossible to achieve. If it seems unrealistic for your project, focus your efforts on Level 3 instead.

Make progress in parallel

You can progressively attain higher SLSA levels. Each artifact’s SLSA level is independent from one another, allowing parallel progress and prioritization based on risk.

Help us improve SLSA

Already at SLSA Level 1? Let us know what went well, what didn’t, and what could be improved. We’re developing new tools and onboarding resources to make the process even easier, so your contribution really goes a long way.

Leave a GitHub issue
Join the community