How to Reach SLSA Levels

It's now easier than ever with with Scribe’s valint slsa. Fill in the form and get the use case now

SLSA (Supply-chain Levels for Software Artifacts) is a security framework aiming to prevent tampering, improve integrity, and secure packages and infrastructure.

The core concept of SLSA is that a software artifact can be trusted only if it complies with three requirements:

  1. The artifact should have a Provenance document describing its origin and building process (L1).
  2. The Provenance document should be trustworthy and verified downstream (L2).
  3. The build system should be trustworthy (L3).

 

The SLSA framework defines levels, which represent how secure the software supply chain is. These levels correspond to the level of implementation of these requirements (noted as L1-L3 above).

 

Meeting SLSA requirements is.. Well.. complex. It involves a nuanced understanding of CI-platform dependencies, defies full automation, and demands a meticulous security analysis of build systems and pipelines. 

 

If SLSA L3 is the path forward for your organization, it’s time to roll up your sleeves. 

Scribe’s valint slsacommand can be used to produce Provenance documents. Following, we describe how to achieve SLSA levels by using this tool.

 

Get this use case,  which provides our recommended checklist to guide you through the process

All Resources

Last Resources

Mitigation strategies for dealing with GitHub security breaches In late September news came out that GitHub repositories were hit by password-stealing commits that were disguised…
Gain valuable insights and strategies to fortify your software development process  Dr. Zero Trust shares essential tips on securing your software supply chain If you…
The adoption of software supply chain security best practices is currently in a watershed moment similar to the publication of the PCI compliance requirements in…