Safeguarding artifact integrity across any software supply chain

What is SLSA?

Supply chain Levels for Software Artifacts, or SLSA (salsa).

It’s a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.

SLSA logo mark mono version

The supply chain problem

Any software can introduce vulnerabilities into a supply chain. As a system gets more complex, it’s critical to already have checks and best practices in place to guarantee artifact integrity, that the source code you’re relying on is the code you’re actually using. Without solid foundations and a plan for the system as it grows, it’s difficult to focus your efforts against tomorrow’s next hack, breach or compromise.

More about supply chain attacks
the supply chain problem image

Levels of assurance

SLSA levels are like a common language to talk about how secure software, supply chains and their component parts really are. From source to system, the levels blend together industry-recognized best practices to create four compliance levels of increasing assurance. These look at the builds, sources and dependencies in open source or commercial software. Starting with easy, basic steps at the lower levels to build up and protect against advanced threats later, bringing SLSA into your work means prioritized, practical measures to prevent unauthorized modifications to software, and a plan to harden that security over time.

Read the level specifications
SLSA levels badge

Level 1

Easy to adopt, giving you supply chain visibility and being able to generate provenance

Level 2

Starts to protect against software tampering and adds minimal build integrity guarantees

Level 3

Hardens the infrastructure against attacks, more trust integrated into complex systems

Level 4

The highest assurances of build integrity and measures for dependency management in place

Who is SLSA for?

Whether you’re a developer, business or an enterprise, SLSA provides a industry standard, a recognizable and agreed-upon level of protection and compliance.

It’s adaptable, and it’s been designed with the wider security ecosystem in mind, for anyone to adopt and use. That could be users requiring that the software they rely on is a particular SLSA level, an open source software project protecting its users by using SLSA compliant infrastructure, or an enterprise using SLSA as guiding principles to harden their own internal supply chains, requiring that dependencies are SLSA compliant too.

An industry collaboration

SLSA is led by an initial cross-organization, vendor-neutral steering group committed to improving the security ecosystem for everyone.

image
image
image
image
image
image
image
image

Our ethos

Today’s projects, products and services are increasingly complex and open to attack. As that trend continues, we need to scale up our effort to provide more secure, accessible ways to protect the development, distribution and consumption of the software we use, and all the impacted communities behind it.

“This is our chance to work with the industry, set a standard which we can all agree to, and work together to raise the collective bar.”

Trishank Karthik Kuppusamy

Engineering Manager at Datadog

“Software supply chain visibility will become a cross-industry need to establish best practices and trusted evidence in each link.”

Bruno Domingues

CTO, Financial Services Industry, Intel

“Having a common language and standard for objectively measuring our supply chain security is a must in order to even begin meeting EO 14028.”

Trishank Karthik Kuppusamy

Engineering Manager at Datadog

“The threat to the software supply chain is real and growing, 650% from the last year. However, changing development process without slowing down is a major barrier.”

Bruno Domingues

CTO, Financial Services Industry, Intel

“Regulated industries such as Financial Services are being more vocal on defining their responsibility on the software supply chain. Having control and traceability as a requirement is taking shape.”

Bruno Domingues

CTO, Financial Services Industry, Intel

Project status

SLSA is currently in alpha

The initial v0.1 specification is out and is now ready to be tried out and tested.

We’ve released a set of tools and services to generate SLSA 1-2 provenance, which we’re looking to develop further soon.

Google has been using an internal version of SLSA since 2013 and requires it for all of their production workloads.