This is a working draft. This document may be modified, replaced, or discarded at any time.

Version 1.1 is the current version. See the Version 1.1 documentation.

SLSA specification

SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.

This is the Working Draft of what the next version of the SLSA specification might be. It defines several SLSA levels and tracks, as well as recommended attestation formats, including provenance.

Understanding SLSA

These pages provide an overview of SLSA, how it helps protect against common supply chain attacks, and common use cases. If you’re new to SLSA or supply chain security, start here.

Page Description
What’s new The changes brought by this Working Draft.
About SLSA An introductory guide to SLSA
Supply chain threats An introduction to supply chain threats
Use cases Use cases
Guiding principles Use cases
FAQ Questions and more information
Future directions Additions and changes being considered for future SLSA versions
Tracks Provides an overview of each track and links to more specific information.

Build Track

These pages describe the build track’s security levels and requirements. If you want to achieve a particular level of the SLSA build track these are the requirements you’ll need to meet.

Page Description
Basics The SLSA build track is organized into a series of levels that provide increasing supply chain security guarantees. This gives you confidence that software hasn’t been tampered with and can be securely traced back to its source. This page is a descriptive overview of the SLSA build track levels, describing their intent.
Terminology Terminology and model used by SLSA
Producing artifacts Detailed technical requirements for producing software artifacts, intended for platform implementers
Distributing provenance Detailed technical requirements for distributing provenance, intended for platform implementers and software distributors
Verifying artifacts Guidance for verifying software artifacts and their SLSA provenance, intended for platform implementers and software consumers
Assessing build platforms Guidelines for securing SLSA Build L3+ builders, intended for platform implementers

Build Environment Track

These pages describe the build environment track’s security levels and requirements. If you want to achieve a particular level of the SLSA build environment track these are the requirements you’ll need to meet.

Page Description
Attesting build environments Overview of SLSA’s Attested Build Environment track, intended for all audiences

Dependency Track

This pages describes the dependency track’s security levels and requirements. If you want to achieve a particular level of the SLSA dependency track these are the requirements you’ll need to meet.

Page Description
Consuming dependencies Overview of the Dependency track

Source Track

These pages describe the source track’s security levels and requirements. If you want to achieve a particular level of the SLSA source track these are the requirements you’ll need to meet.

Page Description
Producing source Overview of the Source track
Verifying source Guidelines for verifying source provenance
Assessing source control systems Guidelines for assessing source control system security.

Cross Track Information

These pages describe information that crosses track boundaries.

Page Description
Threats & mitigations Detailed information about specific supply chain attacks and how SLSA helps
Verified Properties SLSA allows a common way to express verified properties that may not fit within a SLSA track.

Attestation formats

These pages include the concrete schemas for SLSA attestations. The Provenance and VSA formats are recommended, but not required by the specification.

Page Description
General model General attestation mode
Provenance Provides a description of the concept of provenance and links to the various tracks specific definitions.
Build Provenance Suggested build provenance format and explanation
Verification Summary Suggested VSA format and explanation