This is a quick-start guide for infrastructure providers such as build platforms or package registries that want to support SLSA for their users. The work involved in supporting SLSA differs depending on the sort of infrastructure or tooling you provide.
Types of infrastructure
Build platform
- Verify that your infrastructure is suitable to produce SLSA provenance. To learn more about verifying your system for SLSA conformance, see Verifying build platforms.
- Add support for generating SLSA provenance. To learn more about producing provenance, see Producing artifacts. To learn more about the SLSA provenance format, see Provenance.
Package registry
- Verify provenance for the software you distribute. To learn more about verifying provenance, see Verifying artifacts.
- Distribute provenance for the software you distribute. To learn more about distributing provenance, see Distributing provenance.
Compiler or other CLI build tool
- Do nothing. While your tool can produce SLSA provenance, it will never be able to reach Build levels beyond Build Level 1. Instead, encourage your users to produce SLSA provenance in their build platform.