SLSA – Supply-chain Levels For Software Artifacts

SLSA (pronounced “salsa”) is security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity.

The best way to read about SLSA is to visit slsa.dev.

What’s in this repo?

The primary content of this repo is the docs/ directory, which contains the core SLSA specification and sources to the slsa.dev website.

You can read SLSA’s documentation here:

• Levels (Defining the framework)
• Requirements (How to attain compliance)
• Example of use
• Our roadmap

Project status

SLSA is currently in alpha. The framework is constantly being improved. We encourage the community to try adopting SLSA levels incrementally and to share your experiences back to us.

Contributors

• Kim Lewandowski
• Mark Lodato
• Tom Hennen
• Joshua Lock
• Jacques Chester
• And many others

Get involved

We rely on feedback from other organisations to evolve SLSA and be more useful to more people. We’d love to hear your experiences using it.

Are the levels achievable in your project? Would you add or remove anything from the framework? What else is needed before you can adopt it?

• If you want to discuss the framework, github issues are the way.
• If you want to contribute to the framework take a look at our contribution guidelines.

Joining the working group

• We meet bi-monthly on Wednesdays at 9am PT. Anyone is welcome to join, whether to listen or to contribute. Here’s the invite.
• We’re part of the OpenSSF Digital Identity Attestation Working Group. The OpenSSF community calendar is here.
• Our Google Group is here, where you can participate in discussion or join the mailing list.