Inferensys

Glossary

SLSA Framework

A security framework (Supply-chain Levels for Software Artifacts) providing a graded checklist of controls to prevent tampering and ensure the integrity of software packages throughout the build and distribution process.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.
SUPPLY CHAIN INTEGRITY

What is the SLSA Framework?

A security framework providing a graded checklist of controls to prevent tampering and ensure the integrity of software artifacts throughout the build and distribution process.

The SLSA Framework (Supply-chain Levels for Software Artifacts, pronounced "salsa") is a security specification that defines a series of increasing, trackable levels of integrity for software supply chains. It provides a common taxonomy for how a software artifact was produced, enabling consumers to make risk-based decisions. The framework focuses on protecting against source and build integrity threats, such as unauthorized code modification, compromised build platforms, and dependency confusion attacks, by requiring verifiable, tamper-proof metadata.

SLSA is structured into four ascending levels of rigor. Level 1 requires a basic build script and provenance generation. Level 2 mandates version control and a hosted build service generating authenticated provenance. Level 3 enforces non-falsifiable provenance through hardened build platforms with isolated, ephemeral environments. The highest tier, Level 4, demands a two-person review of all changes and a fully hermetic, reproducible build process, providing the strongest defense against sophisticated supply chain compromises.

SUPPLY CHAIN INTEGRITY

Core Properties of the SLSA Framework

The Supply-chain Levels for Software Artifacts (SLSA, pronounced 'salsa') framework provides a structured, incrementally adoptable checklist of controls to harden the software build and distribution process against tampering.

01

The Four Ascending Levels

SLSA defines a progressive maturity model with four distinct levels, each building on the security guarantees of the previous tier:

  • Level 1: Requires a fully scripted, automated build process with provenance generation showing how the artifact was built.
  • Level 2: Demands version control and a hosted build service that generates authenticated provenance, preventing post-build tampering.
  • Level 3: Enforces hermetic builds and isolated, ephemeral build environments where the source is verified against a trusted policy.
  • Level 4: Requires two-person review of all changes and a fully reproducible build process, offering the highest degree of non-tamperability.
4
Maturity Levels
02

Provenance Attestation

The central artifact of the SLSA framework is a verifiable, in-toto provenance attestation. This cryptographically signed metadata document records the builder, the source repository, the build recipe, and all input materials. It creates an unbroken chain of custody, allowing a verifier to answer the critical question: 'Was this artifact built from the correct source code on a trusted platform?' This shifts trust from the artifact itself to the verifiable record of its creation.

03

Threats Mitigated

SLSA directly addresses critical supply chain attack vectors that compromise software integrity before deployment:

  • Source Tampering: Unauthorized modification of source code after a review has been completed.
  • Build Compromise: A compromised build platform injecting malicious behavior during the compilation or packaging step.
  • Artifact Tampering: Modification of a built package after it has been produced but before it is consumed by the end user.
  • Dependency Confusion: Substituting a private, internal dependency with a malicious public package of the same name.
04

SLSA for AI Model Supply Chains

Applying SLSA to AI extends its scope beyond code to include model weights, datasets, and training pipelines. A SLSA-compliant AI supply chain generates provenance that attests to the exact dataset version, hyperparameters, and training code used to produce a model. This prevents model poisoning and ensures that a deployed model is a faithful artifact of a known, audited process, not a tampered or backdoored version.

05

Verification Policy Engine

SLSA is not just a build-time framework; it is enforced at deploy time by a policy engine. Before a container image or AI model is allowed to run in production, a policy engine like Binary Authorization validates the SLSA provenance against a set of organizational rules. For example, a policy might require that all production artifacts originate from a specific CI/CD system and reach at least SLSA Level 3, automatically blocking any artifact that fails this cryptographic check.

SLSA FRAMEWORK

Frequently Asked Questions

Clear, technical answers to the most common questions about the Supply-chain Levels for Software Artifacts (SLSA) framework, its implementation, and its role in securing AI supply chains.

The Supply-chain Levels for Software Artifacts (SLSA) framework is a security specification that provides a graduated checklist of controls to prevent tampering and ensure the integrity of software artifacts throughout the build and distribution process. Pronounced "salsa," it works by defining four ascending levels of security maturity—Level 1 through Level 4—each requiring progressively stronger safeguards. At its core, SLSA requires that artifacts be provenance-attested, meaning every build must generate cryptographically verifiable metadata describing exactly how, when, and from what source code the artifact was created. The framework addresses threats including source code modification, compromised build platforms, and dependency substitution attacks by enforcing requirements like hermetic builds, two-person reviews, and reproducible builds. For AI systems, SLSA extends to model weights and datasets, ensuring that a model deployed to production can be traced back to its exact training data and code with cryptographic certainty.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.