SLSA

SLSA, or Supply-chain Levels for Software Artifacts, is a security framework that defines a set of maturity levels for the integrity of software artifacts throughout the supply chain. It aims to help organizations establish verifiable provenance and controlled build processes, increasing confidence that artifacts are as claimed. The framework originated in the software security community led by Google and has evolved within the Sigstore project under the Cloud Native Computing Foundation.

SLSA centers on provenance, reproducible builds, and attestations. Provenance records the sources, build steps, and tooling

Levels in SLSA typically range from 0 to 4, with higher levels requiring more rigorous controls and

Support and tooling around SLSA are part of the broader Sigstore ecosystem, including signing and transparency