Inferensys

Glossary

SLSA Framework

Supply-chain Levels for Software Artifacts, a security framework providing a graduated checklist of controls to prevent tampering and ensure the integrity and provenance of software throughout its build and deployment lifecycle.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.
SUPPLY-CHAIN INTEGRITY

What is SLSA Framework?

A graduated security framework for ensuring the integrity and provenance of software artifacts throughout the build and deployment lifecycle.

The SLSA Framework (Supply-chain Levels for Software Artifacts) is a security specification that provides a graduated checklist of controls to prevent tampering and ensure the integrity and provenance of software throughout its build and deployment lifecycle. It establishes a common language for communicating supply chain security posture.

SLSA defines four ascending levels of security maturity, from basic build scripting to hermetic, reproducible builds with non-falsifiable provenance attestations. By requiring in-toto attestations and isolated build environments, the framework mitigates threats like source code injection, compromised build platforms, and dependency confusion attacks.

SUPPLY-CHAIN INTEGRITY

The Four SLSA Security Levels

Supply-chain Levels for Software Artifacts (SLSA, pronounced "salsa") is a graduated security framework that defines four ascending levels of build integrity and provenance controls. Each level provides a checklist of concrete, automatable requirements to prevent tampering and ensure the verifiable origin of software artifacts.

01

Level 1: Basic Provenance

The foundational tier requires that the build process generates a provenance attestation—a verifiable statement describing how the artifact was built, including source repository, build command, and entry point. This data must be made available to consumers for manual inspection. However, the build itself is not required to be hermetic or isolated, meaning the provenance is informational rather than tamper-proof. Level 1 establishes the cultural and tooling baseline for generating signed metadata without enforcing strict security controls on the build environment.

02

Level 2: Hosted Build Platform

This level mandates the use of a dedicated, hosted build service (e.g., GitHub Actions, Google Cloud Build) rather than a developer's local workstation. The build platform must generate and sign provenance automatically. Key requirements include:

  • Source integrity: The build service must fetch source from a defined, version-controlled location.
  • Signed provenance: The platform cryptographically signs the attestation, linking it to the build service's identity. This prevents a malicious insider from manually crafting a fake provenance record on their laptop, as all builds must flow through a controlled, observable channel.
03

Level 3: Hardened Builds

Level 3 introduces stringent controls to prevent the build process itself from being subverted. The build must run in an isolated, ephemeral, and hermetic environment with no network access to prevent exfiltration or injection of untrusted dependencies. Specific controls include:

  • Non-falsifiable provenance: Consumers can cryptographically verify the provenance was generated by a trusted platform and has not been tampered with.
  • Hermeticity: All build inputs, including transitive dependencies, must be declared and fetched from a trusted, immutable source before isolation begins.
  • Reproducibility: While not strictly required, the build configuration must be fully captured to enable auditing and eventual reproduction. This level provides strong resistance against compromised build tools or dependency confusion attacks.
04

Level 4: Maximum Security

The highest assurance tier requires hermetic, fully reproducible builds and two-person review of all source code and build configurations. A Level 4 artifact can be independently rebuilt bit-for-bit from source, providing cryptographic proof that no tampering occurred during compilation. Requirements include:

  • Reproducible builds: Independent rebuilds produce a byte-for-byte identical artifact.
  • Two-person review: All changes to source and build recipes must be approved by a second authorized party.
  • Asymmetric isolation: The build process has no network access, and the provenance signing key is stored in a hardware security module (HSM). This level defends against sophisticated supply-chain attacks where the build platform itself might be compromised by a persistent adversary.
SLSA FRAMEWORK

Frequently Asked Questions

Clear, technical answers to the most common questions about Supply-chain Levels for Software Artifacts, the graduated security framework for ensuring end-to-end software integrity.

The SLSA (Supply-chain Levels for Software Artifacts) framework, pronounced "salsa," is a security standard that provides a graduated checklist of controls to prevent tampering and ensure the integrity and provenance of software throughout its build and deployment lifecycle. It works by defining four ascending levels of security maturity, from basic build scripting to hermetic, fully attested builds. Each level introduces stricter requirements for the source, build, and provenance aspects of an artifact. For example, SLSA Level 1 requires a scripted build, while Level 4 demands a hermetic build process, two-person review of all changes, and non-falsifiable provenance attestations. The framework is designed to mitigate specific threats like source code tampering, compromised build platforms, and dependency confusion attacks by making the software supply chain auditable and verifiable.

FRAMEWORK COMPARISON

SLSA vs. Related Supply Chain Standards

A comparison of the SLSA framework with other major standards and specifications governing software supply chain integrity and artifact provenance.

FeatureSLSAin-totoSigstoreSBOM (SPDX/CycloneDX)

Primary Focus

Graduated security levels for build & deployment integrity

Cryptographic attestation of supply chain steps

Keyless artifact signing & signature transparency

Inventory of software components & dependencies

Build Provenance

Tamper-Proof Attestations

Transparency Log

Dependency Graph Generation

Maturity Levels

4 levels (0-3)

Keyless Signing Support

Standard Body

OpenSSF (Linux Foundation)

CNCF

OpenSSF (Linux Foundation)

Linux Foundation / OWASP

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.