Supply chain levels for software assurance, or SLSA (pronounced ‘salsa’), is a framework to reason about and improve the integrity of software artifacts. SLSA (
https://slsa.dev) is seeing increased adoption across the industry and open source ecosystems.
In order to meet the highest level of build assurance, SLSA requires build systems to meet rigorous security standards. Many of these requirements are impractical to record in the artifact’s build provenance, so consumers have to decide whether to trust that the build system used to generate the artifact conforms to the SLSA specification. The community started the SLSA conformance program to help consumers make their trust decisions in a principled way.
This talk describes the SLSA requirements for build systems, how the SLSA conformance program works, and how consumers can enforce their trust decisions during SLSA verification. After this talk, build system maintainers should understand the SLSA requirements and conformance program well enough to undergo the self-certification process, developers will be able to make informed decisions about which builders to use, and consumers will understand how to access public evidence that artifacts were built by SLSA-conformant build systems.