Example use cases
- To inventory all the source and build systems (Level 1)
- Decoupling development toolchains (e.g. untrusted IDE extensions) and workflows from the artifacts you publish (Level 2)
- Providing a public audit trail of source and builds to demonstrate a commitment to securing a supply chain (Level 3)
- Eliminating unilateral access to produce releases so that compromise of your machine or credentials alone won’t be enough to backdoor your package (Level 4)
- Accounting for all build processes and systems used (Level 1)
- Ensuring that release artifacts are built through a common, publicly accessible workflow to facilitate onboarding new maintainers and providing transparency to your users (Level 2)
- Stratifying applications by their security sensitivity and ensuring low-assurance projects can’t adversely impact higher-assurance ones (Level 3)
- Preventing the compromise of a single employee leading to compromise all your users (Level 4)
- Recording the steps necessary to build a release (Level 1)
- Establishing a cryptographic chain of custody between trusted builds and your release and code-signing workflows (Level 2)
These case studies go much more in depth. Starting from a particular scenario, they look at how you might harden an entire system over time, starting with immediate problems to solve and following through next steps to incrementally progress through to the higher SLSA levels, with space for the development of automatic analysis and policies.
Example case studies
Publishing a software package
Consuming third party software
Package repository accepting a software package
Incrementally reaching Level 4 using curl
Real world examples
If you’ve been using SLSA already, get in touch.
The scenarios above are proof of concepts and theoretical explorations. As more people adopt SLSA, we’ll add case studies to walk you through what long term adoption of the SLSA framework could look like, with real world scenarios, application and discovery, planning and strategic development.
The contribution guidelines help guide your feedback, and every contribution is useful for others to see how SLSA can be used in their project or organization.