Skip to main content

SLSA (Supply-chain Levels for Software Artifacts)

SLSA is a framework of graduated build-integrity levels, backed by provenance, for measuring and improving how trustworthy software builds are.

SLSA (pronounced "salsa") is a framework for describing how trustworthy a software build is. It sets out increasing levels of assurance, each backed by stronger, harder-to-forge provenance about how an artifact was produced.

How It Works

The levels move from producing a signed provenance statement at all, up to builds that run on a hardened, isolated platform whose provenance cannot be falsified by the project's own maintainers. Higher levels demand that provenance is generated by the build platform itself, is non-forgeable, and records the source and build steps completely.

SLSA is a set of requirements, not a tool. Teams meet it with signing and attestation tooling — for example, generating build provenance as a signed attestation and verifying it at deploy time against a policy that requires a minimum level.

Why It Matters

Build systems are a favorite target because compromising one build affects every downstream consumer. SLSA gives organizations a common yardstick to state and verify build integrity — "this artifact meets SLSA level N" — instead of relying on informal assurances. Customers and regulators increasingly use it as a baseline for what "secure build" means.

Related Terms

SLSA grades the provenance carried by an attestation, complements the inventory in an SBOM, and is a pillar of supply-chain security.