SLSA (Supply-chain Levels for Software Artifacts)
SLSA is a framework of graduated build-integrity levels, backed by provenance, for measuring and improving how trustworthy software builds are.
SLSA (pronounced "salsa") is a framework for describing how trustworthy a software build is. It sets out increasing levels of assurance, each backed by stronger, harder-to-forge provenance about how an artifact was produced.
How It Works
The levels move from producing a signed provenance statement at all, up to builds that run on a hardened, isolated platform whose provenance cannot be falsified by the project's own maintainers. Higher levels demand that provenance is generated by the build platform itself, is non-forgeable, and records the source and build steps completely.
SLSA is a set of requirements, not a tool. Teams meet it with signing and attestation tooling — for example, generating build provenance as a signed attestation and verifying it at deploy time against a policy that requires a minimum level.
Why It Matters
Build systems are a favorite target because compromising one build affects every downstream consumer. SLSA gives organizations a common yardstick to state and verify build integrity — "this artifact meets SLSA level N" — instead of relying on informal assurances. Customers and regulators increasingly use it as a baseline for what "secure build" means.
Related Terms
SLSA grades the provenance carried by an attestation, complements the inventory in an SBOM, and is a pillar of supply-chain security.