Inferensys

Glossary

Supply Chain Levels for Software Artifacts (SLSA)

A security framework that provides a checklist of controls to prevent tampering, improve integrity, and secure the provenance of the software packages and dependencies used in an agent's build pipeline.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
SECURITY FRAMEWORK

What is Supply Chain Levels for Software Artifacts (SLSA)?

A graduated security framework that establishes a common language and checklist of controls to ensure the integrity and provenance of software artifacts throughout the build and distribution pipeline.

Supply Chain Levels for Software Artifacts (SLSA) is a security framework that provides a structured, trackable checklist of controls to prevent tampering, improve integrity, and secure the provenance of software packages and dependencies. Pronounced "salsa," it defines a series of ascending levels, from basic build scripting to hermetic, fully attested builds, giving consumers confidence that an artifact has not been modified.

SLSA mitigates critical supply chain threats like source code modification, compromised build platforms, and dependency confusion by requiring specific attestations. By cryptographically signing a verifiable software bill of materials (SBOM) and provenance metadata, the framework allows policy engines to automatically verify the integrity of an agent's dependencies before deployment, ensuring no unauthorized code is introduced.

SUPPLY CHAIN INTEGRITY

Core Components of the SLSA Framework

The Supply Chain Levels for Software Artifacts (SLSA) framework provides a structured, incrementally adoptable checklist of controls to prevent tampering, improve integrity, and secure the provenance of software packages and dependencies used in an agent's build pipeline.

02

Build L1: Ephemeral Isolation

The first level of build security requires that the build process occur in an ephemeral and isolated environment. This means each build invocation runs in a fresh, temporary context—such as a container or VM—that is destroyed after completion. The environment must not share state with previous or concurrent builds. This control prevents contamination from compromised build workers and ensures that a successful build is not the result of cached, unversioned, or malicious state from a prior run.

03

Build L2: Hermeticity

A hermetic build is one that has no network access and whose behavior is fully determined by its declared, immutable inputs. All dependencies, including compilers, libraries, and toolchains, must be fetched and verified before the build starts. No arbitrary network requests are permitted during execution. This guarantees that the build is reproducible and immune to dependency confusion attacks, where a package manager is tricked into downloading a malicious package with a similar name from a public registry.

04

Build L3: Hardened Platform

The highest level of build security requires a hardened build platform that enforces tamper-proof provenance generation. The platform itself must be a trusted system that cryptographically signs the provenance attestation immediately upon build completion, using a key managed in secure hardware. Crucially, the build process cannot influence the contents of the provenance, preventing a compromised build from forging its own attestation. This is typically achieved through a trusted control plane that observes the build and generates the attestation independently.

05

Source Integrity Controls

SLSA extends security requirements to the source code itself. Source integrity controls mandate that code changes undergo a two-person review process and that the full history is stored in a verifiable, tamper-evident version control system like Git. The specific commit and repository must be recorded in the build provenance. This prevents threat actors from injecting malicious code through un-reviewed pull requests or by directly manipulating the source repository's history to hide their tracks.

06

Verification Policy Engine

The consumer-side component that enforces organizational policy by validating SLSA provenance before an artifact is deployed. A verification engine checks the cryptographic signature on the attestation, confirms the builder's identity against a trusted root, and evaluates the recorded inputs against a set of allowed source repositories and build parameters. This allows a DevSecOps team to codify a rule like, 'Only deploy containers built by our trusted CI platform from the main branch of the production repository.'

SLSA FRAMEWORK

Frequently Asked Questions

Clear answers to the most common questions about implementing Supply Chain Levels for Software Artifacts in autonomous agent build pipelines.

Supply Chain Levels for Software Artifacts (SLSA, pronounced "salsa") is a security framework that provides a graduated checklist of controls to prevent tampering, improve integrity, and secure the provenance of software packages and dependencies throughout the build pipeline. It works by defining four ascending levels of security maturity, from basic build scripting (Level 1) to hermetic, fully attested builds with two-person review (Level 4). Each level introduces specific requirements around source integrity, build platform hardening, provenance generation, and verification. For autonomous agent systems, SLSA ensures that the code defining an agent's behavior, tool access, and safety constraints has not been modified by a malicious actor between the source repository and the deployment environment. The framework operates on the principle of non-repudiable attestations—cryptographically signed metadata that proves exactly how, when, and from what source an artifact was produced.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.