The SLSA Framework (Supply-chain Levels for Software Artifacts) is a systematic, check-list-based security specification that defines increasing levels of tamper resistance for software build and distribution pipelines. It provides a common taxonomy for organizations to measure and communicate the trustworthiness of their software supply chain, moving from basic source code management to hermetic, fully attested builds that prevent unauthorized modification.
Glossary
SLSA Framework

What is the SLSA Framework?
A graduated security framework that establishes a common language and set of controls to ensure the integrity of software artifacts throughout the development and deployment lifecycle.
SLSA defines four ascending levels of security maturity, from Level 1 (requiring a build script and provenance generation) to Level 4 (mandating a two-person review of all changes and a hermetic, fully isolated build process). The framework relies heavily on cryptographic attestations, such as in-toto metadata, to create a non-repudiable, verifiable record linking a final software package back to its source code, build instructions, and ephemeral environment.
Core Components of the SLSA Framework
The Supply-chain Levels for Software Artifacts (SLSA, pronounced 'salsa') framework is a graduated set of security controls designed to prevent tampering and improve the integrity of software packages and infrastructure. It provides a common taxonomy for how to think about software supply chain security.
Build L3: Hardened Build Platform
The current highest fully-achievable level for most organizations. SLSA Build L3 requires that the build process runs on a hardened, isolated platform with strong tenant isolation. This prevents one build from influencing another. Key requirements include:
- Ephemeral and isolated build environments
- No network access to prevent exfiltration of secrets
- Hermetic builds that are fully defined and reproducible
- Output is a cryptographically signed in-toto attestation binding the artifact to its provenance
Provenance Generation
The core artifact of any SLSA-compliant pipeline is the non-falsifiable provenance. This metadata record describes how an artifact was produced, including the build recipe, source materials, and build environment. Provenance must be:
- Cryptographically signed by the build platform's private key
- Verifiable by any consumer using the platform's public key
- Generated as an in-toto attestation conforming to the SLSA v1.0 provenance schema This allows policy engines to answer the question: 'Should I trust this artifact?'
Source Integrity (Level 2)
Before securing the build, you must secure the source. SLSA Source Level 2 requires:
- Version-controlled history with a strong, auditable retention policy
- Verified commit authorship using cryptographic signing (e.g., SSH or GPG keys)
- Branch protection rules preventing direct pushes to main
- Two-person review mandatory for all changes This establishes a chain of custody from the developer's intent to the source code ingested by the build system.
The SLSA Policy Engine
SLSA is not just a checklist; it's an automated enforcement mechanism. A policy engine consumes signed attestations and evaluates them against organizational policy. For example, a policy might state: 'Only allow deployment of container images built from the main branch on the trusted CI platform.' The engine cryptographically verifies the attestation's signature and checks the predicate fields. This decouples policy evaluation from the build process itself, enabling consistent, automated enforcement across heterogeneous environments.
Dependencies & Verification Summary
SLSA Level 4 represents the ideal state of hermeticity and reproducibility. A build is hermetic if all transitive dependencies are declared and controlled. A build is reproducible if two independent builds from the same source produce a bit-for-bit identical output. While difficult to achieve universally, these properties enable:
- Verification summary attestations (VSA) that confirm an artifact meets a specific SLSA level
- Binary authorization where only verified artifacts pass through the deployment gate
- Defense against advanced supply chain attacks like the SolarWinds incident
SLSA Levels: A Comparative Overview
A comparison of the increasing security rigor and tamper-resistance guarantees across the four Supply-chain Levels for Software Artifacts (SLSA) Build track.
| Feature | SLSA Level 1 | SLSA Level 2 | SLSA Level 3 | SLSA Level 4 |
|---|---|---|---|---|
Primary Objective | Build transparency via provenance | Tamper resistance via hosted build service | Tamper prevention via hardened build platform | Hermetic, auditable, and reproducible builds |
Provenance Generation | ||||
Provenance Authenticated | ||||
Provenance Non-Falsifiable | ||||
Build Script Source Known | ||||
Build Runs on Dedicated Infrastructure | ||||
Defense Against Cross-Build Contamination | ||||
Isolated, Ephemeral Build Environment | ||||
Hermetic Build (No Network Access) | ||||
Reproducible Build Required | ||||
Two-Person Review of Source Changes | ||||
Typical Verification Method | Manual inspection of provenance | Automated policy check on signed provenance | Automated policy check on non-falsifiable attestation | Automated policy check with hermeticity verification |
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the Supply-chain Levels for Software Artifacts framework, its implementation, and its role in securing the software development lifecycle.
The SLSA framework (Supply-chain Levels for Software Artifacts, pronounced "salsa") is a security framework that provides a graduated checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in software supply chains. It works by defining four ascending levels of security maturity—from Level 1 (basic build provenance) to Level 4 (hermetic, reproducible, two-person reviewed builds)—that an organization can adopt incrementally. Each level introduces stricter requirements around source code management, build process isolation, provenance generation, and artifact verification. The framework is designed to be actionable and measurable, giving security architects a concrete roadmap to mitigate threats like source code injection, compromised build platforms, and dependency confusion attacks. SLSA is inspired by Google's internal Binary Authorization for Borg system and is now maintained as an open standard under the OpenSSF (Open Source Security Foundation).
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The SLSA framework relies on a constellation of cryptographic and metadata standards to achieve its four levels of assurance. These related concepts form the technical foundation for tamper-proof build pipelines and verifiable artifact provenance.
Hermetic Build
A build process that is fully isolated from external network access and undeclared dependencies. SLSA Level 4 mandates hermeticity to eliminate trusted builder compromise vectors. A hermetic build guarantees that the output artifact is a deterministic function of only the declared source and build script, with no possibility of fetching poisoned dependencies mid-build.
- All inputs must be declared and verified by hash before the build starts
- Network access is blocked; any required dependency must be pre-fetched and cached
- Enables reproducible builds — two independent builders produce a bit-for-bit identical artifact
Ephemeral Build Environment
A build environment that is provisioned fresh for each build invocation and destroyed immediately after, leaving no mutable state between builds. This is a SLSA Level 3 requirement that prevents cross-build contamination where a previous build's compromised output or cached secrets could poison a subsequent artifact.
- Typically implemented using containerized runners or cloud VMs with no persistent volumes
- Prevents an attacker who compromises one build from persisting in the environment
- Combined with hermeticity, ensures the build is a pure function of the declared inputs

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us