/slsa

Supply-chain Levels for Software Artifacts

Apache License 2.0Apache-2.0

SLSA ("salsa") is Supply-chain Levels for Software Artifacts

SLSA (pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.

The best way to read about SLSA is to visit slsa.dev.

The fun way to get a taste of SLSA is to check out the Operation SLSA videos.

What's in this repo?

The primary content of this repo is the docs/ directory, which contains the core SLSA specification and sources to the slsa.dev website.

You can read SLSA's documentation here. The key documents are levels - which defines the framework - and requirements, which explains how to attain compliance.

Project status

The initial v0.1 specification is out and is now ready to be tried out and tested. We encourage the community to try adopting SLSA levels incrementally and to share your experiences back to us. We’ve released a set of tools and services to generate SLSA 1-2 provenance, which we’re looking to develop further soon.

Google has been using an internal version of SLSA since 2013 and requires it for all of their production workloads.

Steering committee

SLSA is currently led by an initial cross-organization, vendor-neutral steering committee. This committee is:

Shortcut to notify the steering committee on any issues/PRs:

@slsa-framework/slsa-steering-committee

To email the steering committee, use slsa-steering-committee@googlegroups.com.

Contributors

Get involved

We rely on feedback from other organizations to evolve SLSA and be more useful to more people. We’d love to hear your experiences using it.

Are the levels achievable in your project? Would you add or remove anything from the framework? What else is needed before you can adopt it?

Joining the working group