SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.
This is version 1.0 RC2 of the SLSA specification, which defines the SLSA levels and recommended attestation formats, including provenance.
These pages provide an overview of SLSA, how it helps protect against common supply chain attacks, and common use cases. If you’re new to SLSA or supply chain security, start here.
|What’s new in v1.0
|What’s new in SLSA Version 1.0
|An introductory guide to SLSA
|Supply chain threats
|An introduction to supply chain threats
|Questions and more information
|Additions and changes being considered for future SLSA versions
These pages describe SLSA’s security levels and requirements for each track. If you want to achieve SLSA a particular level, these are the requirements you’ll need to meet.
|Terminology and model used by SLSA
|Overview of SLSA’s tracks and levels, intended for all audiences
|Detailed technical requirements for producing software artifacts, intended for system implementers
|Detailed technical requirements for distributing provenance, intended for system implementers and software distributors
|Guidance for verifying software artifacts and their SLSA provenance, intended for system implementers and software consumers
|Verifying build systems
|Guidelines for securing SLSA Build L3+ builders, intended for system implementers
|Threats & mitigations
|Detailed information about specific supply chain attacks and how SLSA helps
These pages include the concrete schemas for SLSA attestations. The Provenance and VSA formats are recommended, but not required by the specification.
|General attestation mode
|Suggested provenance format and explanation
|Suggested VSA format and explanation
How to SLSA
These instructions tell you how to apply the core SLSA specification to use SLSA in your specific situation.
|How to apply SLSA requirements to your build
|For organizations (TODO)
|How to apply SLSA to an organization
|For implementers (TODO)
|How to implement SLSA in source, build, and package systems