You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/compliance/SLSA.md
+11-25Lines changed: 11 additions & 25 deletions
Original file line number
Diff line number
Diff line change
@@ -33,12 +33,11 @@ Levels are further broken up into their own tracks, each expanding on the previo
33
33
34
34
### SLSA Level 0: The Starting Line
35
35
36
-
This is the Wild West of software development, where most software starts. No automation, no reproducibility, no trust. It’s like baking a cake without writing down the recipe—you might get something tasty once, but good luck doing it again the same way.
36
+
This is the Wild West of software development, where most software starts. No automation, no reproducibility, no trust. It's a bit like baking a cake without writing down the recipe—you might get something tasty once, but good luck doing it again the same way.
37
37
38
-
The build process might be manual, dependencies aren't tracked, and there's no way to verify the integrity of your artifacts.
38
+
The build process might be manual, dependencies aren't tracked, and there's no way to verify the integrity of your artifacts. The risk here is that tampering is undetectable, and no one knows how your software was built. Ultimately, however, the goal is to recognize this as the starting point, and commit to improvement.
39
39
40
-
- Risk: Tampering is undetectable, and no one knows how your software was built.
41
-
- Goal: Recognize this as the starting point and commit to improvement.
40
+
An example at this level might be running `make` commands directly on your local machine and manually uploading binaries to a server.
42
41
43
42
### SLSA Level 1
44
43
@@ -48,8 +47,6 @@ Requirements:
48
47
- A defined build process (e.g. CI/CD pipelines).
49
48
- Artifacts can be recreated reliably.
50
49
51
-
Example: Running `make` commands directly on your local machine and manually uploading binaries to a server.
52
-
53
50
Example tools might include Jenkins, GitHub Actions, or GitLab CI.
54
51
55
52
:::tip[Did you know?]
@@ -58,33 +55,22 @@ SLSA L1 is achievable for many teams with minimal effort—if you're using CI/CD
58
55
59
56
:::
60
57
61
-
SLSA L1 is a means to an end, and should be seen as a stepping stone towards improving your overall approach to security.
58
+
SLSA L1 is a means to an end, and should be seen as a stepping stone towards improving your overall approach to security.
62
59
63
60
64
61
### SLSA Level 2: Provenance Proofs
65
62
66
-
Level 2 introduces the concept of [provenance](/what-is-software-provenance-and-why-is-it-important-for-security), a verifiable statement of what, how, and where something was built. Build systems must generate signed provenance documents.
63
+
Level 2 introduces the concept of [provenance](/what-is-software-provenance-and-why-is-it-important-for-security), a verifiable statement of _what_, _how_, and _where_ something was built.
67
64
68
-
Builds must be performed in a secure environment that prevents tampering, which involves using isolated, authenticated systems (e.g. hardened CI/CD environments).
65
+
Build systems must generate signed provenance documents. Builds must also be performed in a secure environment that prevents tampering, which involves using isolated, authenticated systems (e.g. hardened CI/CD environments).
69
66
70
67
### SLSA Level 3: Fully Fortified
71
68
72
-
This is the gold standard. At Level 3:
73
-
- Builds are hermetic (completely isolated from the outside world).
74
-
- Dependencies are verified and controlled.
75
-
- Build environments are hardened to prevent tampering.
76
-
77
-
Additional practices include:
78
-
- Two-person review for every change.
79
-
- Strict control over source and dependencies.
80
-
- Requirements:
81
-
- All Level 2 controls.
82
-
- Builds must be tamper-proof and reproducible in a hermetic environment.
83
-
- Example Tools:
84
-
- Containerized builds (e.g., using Docker or Bazel).
85
-
- Cloud-native build systems like GCP Cloud Build or AWS CodeBuild.
86
-
87
-
This level adds two-person review for all changes and hermetic builds, meaning builds are completely isolated from the outside world. Every dependency must be verified.
69
+
SLSA L3 is the gold standard. This level adds a two-person review for any changes and requires reproducible tamper-proof builds in a hermetic environment (meaning builds are completely isolated from the outside world). Each and every dependency must be verified. At Level 3:
88
70
71
+
- Builds are hermetic
72
+
- Dependencies are verified and controlled
73
+
- Build environments are hardened to prevent tampering
89
74
75
+
Example tools at this level might include containerized builds using, for example, Docker. Cloud-native build systems like GCP Cloud Build or AWS CodeBuild are also popular options.
0 commit comments