Inferensys

Glossary

Supply Chain Levels for Software Artifacts (SLSA)

A security framework that provides a graduated checklist of controls to prevent tampering and improve the integrity of software packages and infrastructure throughout the build and deployment lifecycle.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.
SECURITY FRAMEWORK

What is Supply Chain Levels for Software Artifacts (SLSA)?

SLSA (pronounced 'salsa') is a security framework that provides a graduated checklist of controls to prevent tampering and improve the integrity of software packages and infrastructure throughout the build and deployment lifecycle.

Supply Chain Levels for Software Artifacts (SLSA) is a security framework that defines a set of incrementally adoptable controls to protect software from source to deployment. It establishes a common language and a four-level scale (Build L0 to L3) for measuring supply chain integrity, with higher levels requiring stronger tamper-proof provenance and hermetic build processes. The framework is designed to mitigate threats like source code modification, compromised build platforms, and artifact substitution by ensuring every step in the software development lifecycle is auditable and cryptographically verifiable.

SLSA's requirements center on creating non-forgeable, signed attestations that link a final artifact back to its source code, build instructions, and environment. At its highest level, it mandates two-person reviews, hermetic builds that are fully isolated and repeatable, and cryptographic signing of the resulting provenance metadata. By integrating with tools like Sigstore for keyless signing and in-toto for step-by-step attestation, SLSA provides a practical, vendor-neutral path to achieving end-to-end software supply chain integrity and defending against advanced persistent threats.

BUILD INTEGRITY

Core Components of the SLSA Framework

The Supply Chain Levels for Software Artifacts (SLSA) framework is organized into a set of core components that work together to provide end-to-end integrity guarantees. These components define how provenance is generated, policies are enforced, and artifacts are verified.

01

SLSA Provenance

The cornerstone of SLSA. Provenance is a verifiable, cryptographically signed statement about how a software artifact was built. It answers 'who, what, where, and how' for the build process.

  • Format: Uses the in-toto attestation framework with a SLSA-specific predicate.
  • Contents: Includes builder ID, source repository, build invocation parameters, and all transitive dependencies.
  • Key Distinction: Unlike a simple checksum, provenance links an artifact to its origin, enabling policy decisions based on the builder's trustworthiness.
02

Build Level Tracks

SLSA defines ascending Build Levels (L0-L3) that represent increasing maturity and tamper-resistance of the build platform. Each level introduces specific requirements.

  • L0: No guarantees. Binary is opaque.
  • L1: Provenance is generated, showing how the software was built.
  • L2: Build runs on a hosted service with source control, generating authenticated provenance.
  • L3: Builds are hermetic and fully isolated. The build definition and output are verifiable and cannot be influenced by external parameters.
03

Hermetic Builds

A hermetic build is a build process that is entirely self-contained, with no network access or hidden state. This is a mandatory requirement for SLSA Build Level 3.

  • Determinism: The same source inputs always produce a bit-for-bit identical output.
  • No Fetching: All dependencies must be declared and resolved before the build starts; no apt-get install or pip install during the build.
  • Isolation: The build runs in an ephemeral, sandboxed environment that is destroyed after completion, preventing secret exfiltration or output tampering.
04

Policy Engine & Verification

Provenance is only useful if it's verified. A policy engine evaluates signed attestations against organizational rules before an artifact is deployed.

  • Policy-as-Code: Rules are written declaratively (e.g., 'Only allow containers built by our trusted CI system from the main branch').
  • Integration Point: Typically enforced at the Admission Controller level in Kubernetes, blocking non-compliant deployments.
  • Tooling: Projects like Open Policy Agent (OPA) and Kyverno are commonly used to codify and enforce SLSA-based deployment policies.
05

Verifiable Summary Attestation (VSA)

A VSA is a policy decision rendered as a signed attestation. It states that an artifact's SLSA provenance has been evaluated and meets a specific policy.

  • Purpose: Simplifies downstream verification. A consumer can check the VSA instead of re-evaluating the full provenance chain.
  • Workflow: A policy engine evaluates the SLSA provenance, and if it passes, it generates a VSA that is stored alongside the artifact.
  • Efficiency: This decouples complex policy evaluation from deployment time, speeding up continuous delivery pipelines.
06

Source Control Integrity

SLSA's security model extends to the source. Source Level requirements protect the integrity of the code before it even reaches the build system.

  • Two-Person Review: Changes must be approved by a different authorized person.
  • Verified History: The git history must be cryptographically signed and protected from force-pushes.
  • Strong Authentication: Contributors must use multi-factor authentication to push code, preventing account takeover from injecting malicious source changes.
SUPPLY CHAIN INTEGRITY

SLSA Levels: Requirements and Threat Mitigation

A graduated comparison of security controls and the specific supply chain threats mitigated at each SLSA Build Level, from basic provenance to hermetic, tamper-proof builds.

Requirement / ThreatSLSA Level 1SLSA Level 2SLSA Level 3

Build Script Provenance

Automated Build Process

Source Integrity (Verified History)

Hermetic Build Environment

Ephemeral & Isolated Build

Non-Falsifiable Attestation

Threat: Source Code Tampering

Threat: Build Process Injection

SLSA FRAMEWORK

Frequently Asked Questions

Clear answers to the most common questions about the Supply Chain Levels for Software Artifacts framework, its implementation, and its role in securing AI model supply chains.

Supply Chain Levels for Software Artifacts (SLSA, pronounced "salsa") is a security framework that provides a graduated checklist of controls to prevent tampering and improve the integrity of software packages and infrastructure throughout the build and deployment lifecycle. It works by defining four ascending levels of security guarantees, from basic build automation (Level 1) to hermetic, reproducible builds with non-falsifiable provenance (Level 4). Each level introduces stricter requirements around source integrity, build platform hardening, and provenance generation. The framework is organized into tracks—currently focused on the Build track—that address specific attack vectors such as source code modification, compromised build platforms, and artifact tampering. SLSA does not mandate specific tools but specifies the properties a compliant system must exhibit, such as isolated builds, parameterless build recipes, and cryptographically signed attestations. For AI infrastructure, SLSA principles extend directly to model weights, training pipelines, and container images, ensuring that a deployed model artifact can be traced back to its exact source code, training data, and build environment with cryptographic certainty.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.