This is a working draft of v1.1. This document may be modified, replaced, or discarded at any time.

For the latest release candidate or approved version, please use the version selector.

Version 1.0 is available! See the newest documentation.

SLSA specification

SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.

This is version 1.1 of the SLSA specification, which defines the SLSA levels and recommended attestation formats, including provenance.

Understanding SLSA

These pages provide an overview of SLSA, how it helps protect against common supply chain attacks, and common use cases. If you’re new to SLSA or supply chain security, start here.

Page Description
What’s new in v1.1 What’s new in SLSA Version 1.1
About SLSA An introductory guide to SLSA
Supply chain threats An introduction to supply chain threats
Use cases Use cases
Guiding principles Use cases
FAQ Questions and more information
Future directions Additions and changes being considered for future SLSA versions

Core specification

These pages describe SLSA’s security levels and requirements for each track. If you want to achieve SLSA a particular level, these are the requirements you’ll need to meet.

Page Description
Terminology Terminology and model used by SLSA
Security levels Overview of SLSA’s tracks and levels, intended for all audiences
Producing artifacts Detailed technical requirements for producing software artifacts, intended for platform implementers
Distributing provenance Detailed technical requirements for distributing provenance, intended for platform implementers and software distributors
Verifying artifacts Guidance for verifying software artifacts and their SLSA provenance, intended for platform implementers and software consumers
Verifying build platforms Guidelines for securing SLSA Build L3+ builders, intended for platform implementers
Threats & mitigations Detailed information about specific supply chain attacks and how SLSA helps

Attestation formats

These pages include the concrete schemas for SLSA attestations. The Provenance and VSA formats are recommended, but not required by the specification.

Page Description
General model General attestation mode
Provenance Suggested provenance format and explanation
Verification Summary Suggested VSA format and explanation

How to SLSA

These instructions tell you how to apply the core SLSA specification to use SLSA in your specific situation.

Page Description
For developers How to apply SLSA requirements to your build
For organizations How to apply SLSA to an organization
For infrastructure providers How to implement SLSA in source, build, and package platforms