SLSA-EDI
Google framework grading software supply-chain security.
Definition
SLSA v1.0 (2023) defines 4 Build Track levels: L0 (no protection), L1 (provenance documented), L2 (hosted build platform), L3 (hardened builds). Source Track: source code protection. Dependencies Track: dependency security. For an EDI vendor: aim L3 on build (Sigstore-signed provenance) and L2 on dependencies (SBOM + regular scans).
Origin
Created by Google in 2021, transferred to Open Source Security Foundation (OpenSSF) in 2022.
Example in context
An AS2 container image with SLSA L3 attestation (built on GitHub Actions, signed by Sigstore).
Related terms
- SBOM — related dependency inventory.