Supply Chain Levels for Software Artifacts (SLSA) is a security framework that defines a set of incrementally adoptable controls to protect software from source to deployment. It establishes a common language and a four-level scale (Build L0 to L3) for measuring supply chain integrity, with higher levels requiring stronger tamper-proof provenance and hermetic build processes. The framework is designed to mitigate threats like source code modification, compromised build platforms, and artifact substitution by ensuring every step in the software development lifecycle is auditable and cryptographically verifiable.
Glossary
Supply Chain Levels for Software Artifacts (SLSA)

What is Supply Chain Levels for Software Artifacts (SLSA)?
SLSA (pronounced 'salsa') is a security framework that provides a graduated checklist of controls to prevent tampering and improve the integrity of software packages and infrastructure throughout the build and deployment lifecycle.
SLSA's requirements center on creating non-forgeable, signed attestations that link a final artifact back to its source code, build instructions, and environment. At its highest level, it mandates two-person reviews, hermetic builds that are fully isolated and repeatable, and cryptographic signing of the resulting provenance metadata. By integrating with tools like Sigstore for keyless signing and in-toto for step-by-step attestation, SLSA provides a practical, vendor-neutral path to achieving end-to-end software supply chain integrity and defending against advanced persistent threats.
Core Components of the SLSA Framework
The Supply Chain Levels for Software Artifacts (SLSA) framework is organized into a set of core components that work together to provide end-to-end integrity guarantees. These components define how provenance is generated, policies are enforced, and artifacts are verified.
SLSA Provenance
The cornerstone of SLSA. Provenance is a verifiable, cryptographically signed statement about how a software artifact was built. It answers 'who, what, where, and how' for the build process.
- Format: Uses the in-toto attestation framework with a SLSA-specific predicate.
- Contents: Includes builder ID, source repository, build invocation parameters, and all transitive dependencies.
- Key Distinction: Unlike a simple checksum, provenance links an artifact to its origin, enabling policy decisions based on the builder's trustworthiness.
Build Level Tracks
SLSA defines ascending Build Levels (L0-L3) that represent increasing maturity and tamper-resistance of the build platform. Each level introduces specific requirements.
- L0: No guarantees. Binary is opaque.
- L1: Provenance is generated, showing how the software was built.
- L2: Build runs on a hosted service with source control, generating authenticated provenance.
- L3: Builds are hermetic and fully isolated. The build definition and output are verifiable and cannot be influenced by external parameters.
Hermetic Builds
A hermetic build is a build process that is entirely self-contained, with no network access or hidden state. This is a mandatory requirement for SLSA Build Level 3.
- Determinism: The same source inputs always produce a bit-for-bit identical output.
- No Fetching: All dependencies must be declared and resolved before the build starts; no
apt-get installorpip installduring the build. - Isolation: The build runs in an ephemeral, sandboxed environment that is destroyed after completion, preventing secret exfiltration or output tampering.
Policy Engine & Verification
Provenance is only useful if it's verified. A policy engine evaluates signed attestations against organizational rules before an artifact is deployed.
- Policy-as-Code: Rules are written declaratively (e.g., 'Only allow containers built by our trusted CI system from the
mainbranch'). - Integration Point: Typically enforced at the Admission Controller level in Kubernetes, blocking non-compliant deployments.
- Tooling: Projects like Open Policy Agent (OPA) and Kyverno are commonly used to codify and enforce SLSA-based deployment policies.
Verifiable Summary Attestation (VSA)
A VSA is a policy decision rendered as a signed attestation. It states that an artifact's SLSA provenance has been evaluated and meets a specific policy.
- Purpose: Simplifies downstream verification. A consumer can check the VSA instead of re-evaluating the full provenance chain.
- Workflow: A policy engine evaluates the SLSA provenance, and if it passes, it generates a VSA that is stored alongside the artifact.
- Efficiency: This decouples complex policy evaluation from deployment time, speeding up continuous delivery pipelines.
Source Control Integrity
SLSA's security model extends to the source. Source Level requirements protect the integrity of the code before it even reaches the build system.
- Two-Person Review: Changes must be approved by a different authorized person.
- Verified History: The git history must be cryptographically signed and protected from force-pushes.
- Strong Authentication: Contributors must use multi-factor authentication to push code, preventing account takeover from injecting malicious source changes.
SLSA Levels: Requirements and Threat Mitigation
A graduated comparison of security controls and the specific supply chain threats mitigated at each SLSA Build Level, from basic provenance to hermetic, tamper-proof builds.
| Requirement / Threat | SLSA Level 1 | SLSA Level 2 | SLSA Level 3 |
|---|---|---|---|
Build Script Provenance | |||
Automated Build Process | |||
Source Integrity (Verified History) | |||
Hermetic Build Environment | |||
Ephemeral & Isolated Build | |||
Non-Falsifiable Attestation | |||
Threat: Source Code Tampering | |||
Threat: Build Process Injection |
Frequently Asked Questions
Clear answers to the most common questions about the Supply Chain Levels for Software Artifacts framework, its implementation, and its role in securing AI model supply chains.
Supply Chain Levels for Software Artifacts (SLSA, pronounced "salsa") is a security framework that provides a graduated checklist of controls to prevent tampering and improve the integrity of software packages and infrastructure throughout the build and deployment lifecycle. It works by defining four ascending levels of security guarantees, from basic build automation (Level 1) to hermetic, reproducible builds with non-falsifiable provenance (Level 4). Each level introduces stricter requirements around source integrity, build platform hardening, and provenance generation. The framework is organized into tracks—currently focused on the Build track—that address specific attack vectors such as source code modification, compromised build platforms, and artifact tampering. SLSA does not mandate specific tools but specifies the properties a compliant system must exhibit, such as isolated builds, parameterless build recipes, and cryptographically signed attestations. For AI infrastructure, SLSA principles extend directly to model weights, training pipelines, and container images, ensuring that a deployed model artifact can be traced back to its exact source code, training data, and build environment with cryptographic certainty.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
SLSA relies on a constellation of complementary specifications and tools to achieve end-to-end supply chain integrity. These related concepts form the technical foundation for tamper-proof artifact governance.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us