The Supply chain Levels for Software Artifacts (SLSA) specification defines an open standard for establishing artifact integrity and resilient build processes for the software supply chain.
SLSA defines multiple "security levels" of increasing security guarantees and the corresponding technical requirements necessary to achieve each such level.
SLSA's scope includes requirements relating to:
- source integrity and availability, to ensure changes to source code are intentional and documented;
- build integrity, to ensure packages are built as intended and remain unmodified;
- provenance, to ensure metadata about the build process is documented, verifiable, complete and available; and
- system security, to ensure systems used in the build process are themselves secure.
Any changes of Scope are not retroactive.