SLSA
Definition
SLSA (Supply-chain Levels for Software Artifacts) is a security framework designed to ensure the integrity of software artifacts throughout the software supply chain. It provides a set of standards and practices that help organizations prevent tampering, improve security, and ensure compliance by defining levels of assurance. Each level builds on the previous, offering incremental security guarantees, from basic source control to advanced measures like hermetic builds and provenance tracking.
Secure Settings Example
# Example of a secure CI/CD pipeline configuration with SLSA Level 3 compliance
version: 2.1
jobs:
build:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: Verify Source Integrity
command: |
git verify-commit HEAD
- run:
name: Build with Provenance
command: |
./build.sh --provenance
- run:
name: Sign Artifacts
command: |
gpg --sign --armor --output artifact.sig artifact.tar.gz
Insecure Settings Example
# Example of an insecure CI/CD pipeline configuration lacking SLSA compliance
version: 2.1
jobs:
build:
docker:
- image: cimg/base:stable
steps:
- checkout
- run:
name: Build without Verification
command: |
./build.sh
- run:
name: Publish Unsigned Artifacts
command: |
cp artifact.tar.gz /release/