The SLSA Framework establishes a trackable, four-level hierarchy of increasing security rigor—from basic build scripting at Level 1 to hermetic, two-person reviewed builds with cryptographic provenance at Level 4. Each level introduces specific, verifiable requirements for the source, build platform, and provenance metadata, enabling consumers to make informed risk decisions about the artifacts they deploy.
Glossary
SLSA Framework

What is SLSA Framework?
SLSA (Supply-chain Levels for Software Artifacts, pronounced "salsa") is a security framework that provides a graduated checklist of controls to prevent tampering and improve the integrity of software packages throughout the build and distribution process.
By codifying non-falsifiable provenance attestations, SLSA mitigates high-impact supply chain threats such as source tampering, compromised build platforms, and dependency confusion. The framework integrates with tools like Sigstore for keyless signing and in-toto for layout verification, forming a practical, incrementally adoptable foundation for achieving binary authorization and software supply chain resilience.
Key Features of the SLSA Framework
SLSA provides a graduated, track-based checklist of controls to prevent tampering and improve the integrity of software packages throughout the build and distribution process.
The Four SLSA Levels
SLSA defines an ascending scale of security rigor, from basic build scripting to hermetic, two-person reviewed builds.
- Level 1: Build is fully scripted/automated with provenance generation.
- Level 2: Uses version control and a hosted build service generating authenticated provenance.
- Level 3: Source and build platforms meet auditability standards; builds are isolated.
- Level 4: Requires two-person review of all changes and hermetic, reproducible builds.
SLSA Tracks
SLSA v1.0 decouples security into independent tracks to allow incremental adoption. Each track has its own level progression.
- Build Track: Focuses on build platform hardening, isolated builds, and parameterless recipes.
- Source Track: Secures the source control system, requiring strong authentication, branch protection, and two-person review at higher levels.
- Dependencies Track: Addresses the availability and integrity of third-party dependencies through hashed, verifiable resolution.
Provenance Attestation
A core output of SLSA compliance is a cryptographically signed provenance attestation—a verifiable metadata document describing how an artifact was produced.
- Follows the in-toto attestation specification.
- Binds the artifact hash to the build recipe, source repository, and builder identity.
- Enables policy engines to automatically reject artifacts lacking valid, expected provenance before deployment.
Hermetic Builds
A hermetic build is one executed in complete isolation, with no network access and all inputs explicitly declared.
- Required for SLSA Build Level 3+.
- Prevents a compromised build service from fetching malicious dependencies mid-build.
- Ensures the build is fully deterministic and auditable, as every input is hashed and recorded in the provenance.
Policy Enforcement via OPA
SLSA attestations are machine-readable, enabling automated policy enforcement at deploy time using tools like Open Policy Agent (OPA) or Binary Authorization.
- Policies can require a minimum SLSA level for production deployments.
- Rejects artifacts with missing, invalid, or tampered provenance.
- Transforms supply chain security from a manual audit into a continuous, automated gate.
Threats Mitigated
SLSA directly addresses critical supply chain attack vectors identified in high-profile compromises.
- Source Tampering (A): Unauthorized commits to protected branches.
- Build Tampering (B): Compromised CI/CD pipelines injecting malicious code.
- Dependency Confusion (C): Resolving a malicious package instead of the intended internal one.
- Artifact Substitution (D): Swapping a legitimate artifact for a backdoored version post-build.
Frequently Asked Questions
Clear, technical answers to the most common questions about the Supply-chain Levels for Software Artifacts framework, its implementation, and its role in securing the ML pipeline.
The SLSA framework (Supply-chain Levels for Software Artifacts, pronounced "salsa") is a graduated security checklist that provides a structured set of controls to prevent tampering and improve the integrity of software artifacts throughout the build and distribution process. It works by defining four ascending levels of security maturity, from Level 1 (basic provenance) to Level 4 (hermetic, two-person reviewed builds). Each level introduces specific requirements around source integrity, build integrity, and provenance generation. For an ML pipeline, this means ensuring that a model artifact can be cryptographically traced back to its exact source code, training data, and build environment, preventing attacks like data poisoning or dependency confusion from going undetected.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The SLSA framework does not operate in isolation. It relies on a constellation of complementary specifications and tools to establish end-to-end trust in the software supply chain.
Dependency Confusion
A supply chain attack where a malicious package with a higher version number is uploaded to a public registry, tricking a build system into downloading it instead of the intended private dependency. SLSA mitigates this by requiring explicit dependency pinning and hermetic builds that isolate the build environment from public registries.
- Attack vector: Misconfigured package managers checking public registries first
- Defense: Digest pinning, scoped registries, vendor mirroring
- Real-world impact: 35+ major companies compromised in 2021

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us