What is SLSA (Supply-chain Levels for Software Artifacts)?

A security framework for supply-chain integrity — a checklist + standards for how build artifacts are produced, signed, and verified.

Full explanation

SLSA has four levels of increasing rigor. Level 1 is basic provenance. Level 4 is hermetic builds with two-party review and full reproducibility. Most modern CI/CD platforms can emit SLSA provenance on every build; consuming it downstream lets you verify that a given artifact was built by a specific pipeline from a specific source.

Example

GitHub Actions emits SLSA Level 3 provenance via the `slsa-github-generator` action. Deployment tooling verifies the provenance before allowing the artifact to run.

FAQ

What is in-toto?

in-toto is the signature format SLSA uses. The provenance attestation is an in-toto document.