Inferensys

Glossary

SLSA Framework

A security framework (Supply-chain Levels for Software Artifacts) providing a graduated checklist of controls to prevent tampering and improve the integrity of software packages throughout the build and distribution process.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.
SUPPLY CHAIN INTEGRITY

What is SLSA Framework?

SLSA (Supply-chain Levels for Software Artifacts, pronounced "salsa") is a security framework that provides a graduated checklist of controls to prevent tampering and improve the integrity of software packages throughout the build and distribution process.

The SLSA Framework establishes a trackable, four-level hierarchy of increasing security rigor—from basic build scripting at Level 1 to hermetic, two-person reviewed builds with cryptographic provenance at Level 4. Each level introduces specific, verifiable requirements for the source, build platform, and provenance metadata, enabling consumers to make informed risk decisions about the artifacts they deploy.

By codifying non-falsifiable provenance attestations, SLSA mitigates high-impact supply chain threats such as source tampering, compromised build platforms, and dependency confusion. The framework integrates with tools like Sigstore for keyless signing and in-toto for layout verification, forming a practical, incrementally adoptable foundation for achieving binary authorization and software supply chain resilience.

SUPPLY-CHAIN LEVELS FOR SOFTWARE ARTIFACTS

Key Features of the SLSA Framework

SLSA provides a graduated, track-based checklist of controls to prevent tampering and improve the integrity of software packages throughout the build and distribution process.

01

The Four SLSA Levels

SLSA defines an ascending scale of security rigor, from basic build scripting to hermetic, two-person reviewed builds.

  • Level 1: Build is fully scripted/automated with provenance generation.
  • Level 2: Uses version control and a hosted build service generating authenticated provenance.
  • Level 3: Source and build platforms meet auditability standards; builds are isolated.
  • Level 4: Requires two-person review of all changes and hermetic, reproducible builds.
02

SLSA Tracks

SLSA v1.0 decouples security into independent tracks to allow incremental adoption. Each track has its own level progression.

  • Build Track: Focuses on build platform hardening, isolated builds, and parameterless recipes.
  • Source Track: Secures the source control system, requiring strong authentication, branch protection, and two-person review at higher levels.
  • Dependencies Track: Addresses the availability and integrity of third-party dependencies through hashed, verifiable resolution.
03

Provenance Attestation

A core output of SLSA compliance is a cryptographically signed provenance attestation—a verifiable metadata document describing how an artifact was produced.

  • Follows the in-toto attestation specification.
  • Binds the artifact hash to the build recipe, source repository, and builder identity.
  • Enables policy engines to automatically reject artifacts lacking valid, expected provenance before deployment.
04

Hermetic Builds

A hermetic build is one executed in complete isolation, with no network access and all inputs explicitly declared.

  • Required for SLSA Build Level 3+.
  • Prevents a compromised build service from fetching malicious dependencies mid-build.
  • Ensures the build is fully deterministic and auditable, as every input is hashed and recorded in the provenance.
05

Policy Enforcement via OPA

SLSA attestations are machine-readable, enabling automated policy enforcement at deploy time using tools like Open Policy Agent (OPA) or Binary Authorization.

  • Policies can require a minimum SLSA level for production deployments.
  • Rejects artifacts with missing, invalid, or tampered provenance.
  • Transforms supply chain security from a manual audit into a continuous, automated gate.
06

Threats Mitigated

SLSA directly addresses critical supply chain attack vectors identified in high-profile compromises.

  • Source Tampering (A): Unauthorized commits to protected branches.
  • Build Tampering (B): Compromised CI/CD pipelines injecting malicious code.
  • Dependency Confusion (C): Resolving a malicious package instead of the intended internal one.
  • Artifact Substitution (D): Swapping a legitimate artifact for a backdoored version post-build.
SLSA FRAMEWORK FAQ

Frequently Asked Questions

Clear, technical answers to the most common questions about the Supply-chain Levels for Software Artifacts framework, its implementation, and its role in securing the ML pipeline.

The SLSA framework (Supply-chain Levels for Software Artifacts, pronounced "salsa") is a graduated security checklist that provides a structured set of controls to prevent tampering and improve the integrity of software artifacts throughout the build and distribution process. It works by defining four ascending levels of security maturity, from Level 1 (basic provenance) to Level 4 (hermetic, two-person reviewed builds). Each level introduces specific requirements around source integrity, build integrity, and provenance generation. For an ML pipeline, this means ensuring that a model artifact can be cryptographically traced back to its exact source code, training data, and build environment, preventing attacks like data poisoning or dependency confusion from going undetected.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.