SLSA specification
SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.
This is Version 1.2 Release Candidate 1 (RC1) of the SLSA specification, which defines several SLSA levels and recommended attestation formats, including provenance.
Understanding SLSA
These pages provide an overview of SLSA, how it helps protect against common supply chain attacks, and common use cases. If you’re new to SLSA or supply chain security, start here.
| Page | Description |
|---|---|
| What’s new | The changes brought by this Working Draft. |
| About SLSA | An introductory guide to SLSA |
| Supply chain threats | An introduction to supply chain threats |
| Use cases | Use cases |
| Guiding principles | Use cases |
| FAQ | Questions and more information |
| Future directions | Additions and changes being considered for future SLSA versions |
| Tracks | Provides an overview of each track and links to more specific information. |
Build Track
These pages describe the build track’s security levels and requirements. If you want to achieve a particular level of the SLSA build track these are the requirements you’ll need to meet.
| Page | Description |
|---|---|
| Basics | The SLSA build track is organized into a series of levels that provide increasing supply chain security guarantees. This gives you confidence that software hasn’t been tampered with and can be securely traced back to its source. This page is a descriptive overview of the SLSA build track levels, describing their intent. |
| Terminology | Terminology and model used by SLSA |
| Producing artifacts | Detailed technical requirements for producing software artifacts, intended for platform implementers |
| Distributing provenance | Detailed technical requirements for distributing provenance, intended for platform implementers and software distributors |
| Verifying artifacts | Guidance for verifying software artifacts and their SLSA provenance, intended for platform implementers and software consumers |
| Assessing build platforms | Guidelines for securing SLSA Build L3+ builders, intended for platform implementers |
Source Track
These pages describe the source track’s security levels and requirements. If you want to achieve a particular level of the SLSA source track these are the requirements you’ll need to meet.
| Page | Description |
|---|---|
| Producing source | Overview of the Source track |
| Verifying source | Guidelines for verifying source provenance |
| Assessing source control systems | Guidelines for assessing source control system security. |
Cross Track Information
These pages describe information that crosses track boundaries.
| Page | Description |
|---|---|
| Threats & mitigations | Detailed information about specific supply chain attacks and how SLSA helps |
Attestation formats
These pages include the concrete schemas for SLSA attestations. The Provenance and VSA formats are recommended, but not required by the specification.
| Page | Description |
|---|---|
| General model | General attestation mode |
| Provenance | Provides a description of the concept of provenance and links to the various tracks specific definitions. |
| Build Provenance | Suggested build provenance format and explanation |
| Verification Summary | Suggested VSA format and explanation |