Supply Chain Levels for Software Artifacts (SLSA) is a security framework that provides a structured, trackable checklist of controls to prevent tampering, improve integrity, and secure the provenance of software packages and dependencies. Pronounced "salsa," it defines a series of ascending levels, from basic build scripting to hermetic, fully attested builds, giving consumers confidence that an artifact has not been modified.
Glossary
Supply Chain Levels for Software Artifacts (SLSA)

What is Supply Chain Levels for Software Artifacts (SLSA)?
A graduated security framework that establishes a common language and checklist of controls to ensure the integrity and provenance of software artifacts throughout the build and distribution pipeline.
SLSA mitigates critical supply chain threats like source code modification, compromised build platforms, and dependency confusion by requiring specific attestations. By cryptographically signing a verifiable software bill of materials (SBOM) and provenance metadata, the framework allows policy engines to automatically verify the integrity of an agent's dependencies before deployment, ensuring no unauthorized code is introduced.
Core Components of the SLSA Framework
The Supply Chain Levels for Software Artifacts (SLSA) framework provides a structured, incrementally adoptable checklist of controls to prevent tampering, improve integrity, and secure the provenance of software packages and dependencies used in an agent's build pipeline.
Build L1: Ephemeral Isolation
The first level of build security requires that the build process occur in an ephemeral and isolated environment. This means each build invocation runs in a fresh, temporary context—such as a container or VM—that is destroyed after completion. The environment must not share state with previous or concurrent builds. This control prevents contamination from compromised build workers and ensures that a successful build is not the result of cached, unversioned, or malicious state from a prior run.
Build L2: Hermeticity
A hermetic build is one that has no network access and whose behavior is fully determined by its declared, immutable inputs. All dependencies, including compilers, libraries, and toolchains, must be fetched and verified before the build starts. No arbitrary network requests are permitted during execution. This guarantees that the build is reproducible and immune to dependency confusion attacks, where a package manager is tricked into downloading a malicious package with a similar name from a public registry.
Build L3: Hardened Platform
The highest level of build security requires a hardened build platform that enforces tamper-proof provenance generation. The platform itself must be a trusted system that cryptographically signs the provenance attestation immediately upon build completion, using a key managed in secure hardware. Crucially, the build process cannot influence the contents of the provenance, preventing a compromised build from forging its own attestation. This is typically achieved through a trusted control plane that observes the build and generates the attestation independently.
Source Integrity Controls
SLSA extends security requirements to the source code itself. Source integrity controls mandate that code changes undergo a two-person review process and that the full history is stored in a verifiable, tamper-evident version control system like Git. The specific commit and repository must be recorded in the build provenance. This prevents threat actors from injecting malicious code through un-reviewed pull requests or by directly manipulating the source repository's history to hide their tracks.
Verification Policy Engine
The consumer-side component that enforces organizational policy by validating SLSA provenance before an artifact is deployed. A verification engine checks the cryptographic signature on the attestation, confirms the builder's identity against a trusted root, and evaluates the recorded inputs against a set of allowed source repositories and build parameters. This allows a DevSecOps team to codify a rule like, 'Only deploy containers built by our trusted CI platform from the main branch of the production repository.'
Frequently Asked Questions
Clear answers to the most common questions about implementing Supply Chain Levels for Software Artifacts in autonomous agent build pipelines.
Supply Chain Levels for Software Artifacts (SLSA, pronounced "salsa") is a security framework that provides a graduated checklist of controls to prevent tampering, improve integrity, and secure the provenance of software packages and dependencies throughout the build pipeline. It works by defining four ascending levels of security maturity, from basic build scripting (Level 1) to hermetic, fully attested builds with two-person review (Level 4). Each level introduces specific requirements around source integrity, build platform hardening, provenance generation, and verification. For autonomous agent systems, SLSA ensures that the code defining an agent's behavior, tool access, and safety constraints has not been modified by a malicious actor between the source repository and the deployment environment. The framework operates on the principle of non-repudiable attestations—cryptographically signed metadata that proves exactly how, when, and from what source an artifact was produced.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding SLSA requires familiarity with the foundational security concepts and artifacts that underpin software supply chain integrity. These related terms define the building blocks of a verifiable, tamper-proof build pipeline.
Hermetic Build
A build process that is fully self-contained and isolated from external network access, ensuring that all inputs are declared and verified before execution. Hermeticity is a requirement for SLSA Level 4.
- No network access during the build step
- All dependencies must be fetched and verified in a separate, audited resolution phase
- Reproducibility: The same inputs always produce a bit-for-bit identical output
Ephemeral Environment
A short-lived, disposable execution context created from a known-good, immutable image and completely destroyed after a single build task. This prevents state contamination between builds and is a prerequisite for achieving SLSA Level 3.
- No persistent state between build invocations
- Prevents credential leakage and build cache poisoning
- Common implementations: GitHub Actions ephemeral runners, Tekton Pipelines with fresh pods
Two-Person Review
A procedural control requiring that every change to the source code be reviewed and approved by a different authorized person before it can be merged. This is a mandatory requirement for SLSA Level 3 to prevent a single compromised account from injecting malicious code.
- Enforced via branch protection rules in GitHub, GitLab, or Gerrit
- Prevents insider threats and account takeover attacks
- Audit trail: All reviews are logged and non-repudiable

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us