Artifacts
Supply-chain Levels for Software Artifacts (SLSA)
In its current state, SLSA is a set of incrementally adoptable security guidelines being established by industry consensus.
SLSA differs from a list of best practices in its enforceability: it will support the automatic creation of auditable metadata that can be fed into policy engines to give “SLSA certification” to a particular package or build platform. It is designed to be incremental and actionable, and to provide security benefits at every step.
SLSA consists of four levels, with SLSA 4 representing the ideal end state. The lower levels represent incremental milestones with corresponding incremental integrity guarantees. Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source—something that is difficult, if not impossible, to do with most software today.