SLSA (Supply-chain Levels for Software Artifacts) is a framework led by Google, that defines four levels of protection for a software supply chain, and provides guidelines on how to reach these levels. Since companies operate dynamic pipelines, there is a need to continuously measure the pipeline’s security.
This can be met by implementing automated SLSA-compliance evaluation. In this talk , we shall share lessons learned from our journey in implementing automation in real-world scenarios using open-source tools such as Sigstore and OPA.
The lessons, conceptual and technical, shed light on the real-world details and challenges we encountered when evaluating, and automating the evaluation of SLSA compliance. Some of these lessons challenge part of SLSA requirements.