The SLSA Framework (Supply-chain Levels for Software Artifacts, pronounced "salsa") is a security specification that defines a series of increasing, trackable levels of integrity for software supply chains. It provides a common taxonomy for how a software artifact was produced, enabling consumers to make risk-based decisions. The framework focuses on protecting against source and build integrity threats, such as unauthorized code modification, compromised build platforms, and dependency confusion attacks, by requiring verifiable, tamper-proof metadata.
Glossary
SLSA Framework

What is the SLSA Framework?
A security framework providing a graded checklist of controls to prevent tampering and ensure the integrity of software artifacts throughout the build and distribution process.
SLSA is structured into four ascending levels of rigor. Level 1 requires a basic build script and provenance generation. Level 2 mandates version control and a hosted build service generating authenticated provenance. Level 3 enforces non-falsifiable provenance through hardened build platforms with isolated, ephemeral environments. The highest tier, Level 4, demands a two-person review of all changes and a fully hermetic, reproducible build process, providing the strongest defense against sophisticated supply chain compromises.
Core Properties of the SLSA Framework
The Supply-chain Levels for Software Artifacts (SLSA, pronounced 'salsa') framework provides a structured, incrementally adoptable checklist of controls to harden the software build and distribution process against tampering.
The Four Ascending Levels
SLSA defines a progressive maturity model with four distinct levels, each building on the security guarantees of the previous tier:
- Level 1: Requires a fully scripted, automated build process with provenance generation showing how the artifact was built.
- Level 2: Demands version control and a hosted build service that generates authenticated provenance, preventing post-build tampering.
- Level 3: Enforces hermetic builds and isolated, ephemeral build environments where the source is verified against a trusted policy.
- Level 4: Requires two-person review of all changes and a fully reproducible build process, offering the highest degree of non-tamperability.
Provenance Attestation
The central artifact of the SLSA framework is a verifiable, in-toto provenance attestation. This cryptographically signed metadata document records the builder, the source repository, the build recipe, and all input materials. It creates an unbroken chain of custody, allowing a verifier to answer the critical question: 'Was this artifact built from the correct source code on a trusted platform?' This shifts trust from the artifact itself to the verifiable record of its creation.
Threats Mitigated
SLSA directly addresses critical supply chain attack vectors that compromise software integrity before deployment:
- Source Tampering: Unauthorized modification of source code after a review has been completed.
- Build Compromise: A compromised build platform injecting malicious behavior during the compilation or packaging step.
- Artifact Tampering: Modification of a built package after it has been produced but before it is consumed by the end user.
- Dependency Confusion: Substituting a private, internal dependency with a malicious public package of the same name.
SLSA for AI Model Supply Chains
Applying SLSA to AI extends its scope beyond code to include model weights, datasets, and training pipelines. A SLSA-compliant AI supply chain generates provenance that attests to the exact dataset version, hyperparameters, and training code used to produce a model. This prevents model poisoning and ensures that a deployed model is a faithful artifact of a known, audited process, not a tampered or backdoored version.
Verification Policy Engine
SLSA is not just a build-time framework; it is enforced at deploy time by a policy engine. Before a container image or AI model is allowed to run in production, a policy engine like Binary Authorization validates the SLSA provenance against a set of organizational rules. For example, a policy might require that all production artifacts originate from a specific CI/CD system and reach at least SLSA Level 3, automatically blocking any artifact that fails this cryptographic check.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about the Supply-chain Levels for Software Artifacts (SLSA) framework, its implementation, and its role in securing AI supply chains.
The Supply-chain Levels for Software Artifacts (SLSA) framework is a security specification that provides a graduated checklist of controls to prevent tampering and ensure the integrity of software artifacts throughout the build and distribution process. Pronounced "salsa," it works by defining four ascending levels of security maturity—Level 1 through Level 4—each requiring progressively stronger safeguards. At its core, SLSA requires that artifacts be provenance-attested, meaning every build must generate cryptographically verifiable metadata describing exactly how, when, and from what source code the artifact was created. The framework addresses threats including source code modification, compromised build platforms, and dependency substitution attacks by enforcing requirements like hermetic builds, two-person reviews, and reproducible builds. For AI systems, SLSA extends to model weights and datasets, ensuring that a model deployed to production can be traced back to its exact training data and code with cryptographic certainty.
Related Terms
Explore the core components and adjacent specifications that operationalize the SLSA Framework within a secure software development lifecycle.
In-Toto Attestation
A specification for generating verifiable metadata that cryptographically records the steps, materials, and environmental conditions present during a software supply chain operation. In-toto attestations provide the non-forgeable evidence required to meet SLSA Level 2+ requirements, linking the final artifact back to the specific builder and source repository.
Hermetic Builds
A build process executed in a fully isolated, network-disconnected environment where all dependencies are declared and fetched in advance. Hermeticity guarantees repeatability and prevents remote tampering, directly satisfying the SLSA requirement that builds must be isolated from external influence to prevent the injection of malicious code during compilation.
Binary Authorization
A deploy-time security control that enforces strict validation by requiring cryptographically signed signatures before a container image or binary is allowed to execute in a production environment. This acts as the enforcement point for SLSA provenance policies, ensuring only artifacts that have passed the verified supply chain pipeline are admitted to the runtime.
Reproducible Builds
A software compilation process that produces bit-for-bit identical binary artifacts from a given source code. This enables independent verification that no malicious injection occurred during compilation. Reproducibility provides the highest level of tamper resistance, allowing multiple parties to independently verify the output against the attested provenance.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us