It's now easier than ever with with Scribe’s valint slsa
SLSA (Supply-chain Levels for Software Artifacts) is a security framework aiming to prevent tampering, improve integrity, and secure packages and infrastructure.
The core concept of SLSA is that a software artifact can be trusted only if it complies with three requirements:
- The artifact should have a Provenance document describing its origin and building process (L1).
- The Provenance document should be trustworthy and verified downstream (L2).
- The build system should be trustworthy (L3).
The SLSA framework defines levels, which represent how secure the software supply chain is. These levels correspond to the level of implementation of these requirements (noted as L1-L3 above).
Meeting SLSA requirements is.. Well.. complex. It involves a nuanced understanding of CI-platform dependencies, defies full automation, and demands a meticulous security analysis of build systems and pipelines.
If SLSA L3 is the path forward for your organization, it’s time to roll up your sleeves.
Scribe’s valint slsacommand can be used to produce Provenance documents. Following, we describe how to achieve SLSA levels by using this tool.
Get this use case, which provides our recommended checklist to guide you through the process
