ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

SLSA-LEVEL-1

SLSA L1 scripted build + provenance attestation.

Definition

SLSA L1 requirements: (1) Build process scripted/automated (continuous integration pipeline, no manual local builds), (2) Provenance available (machine-readable attestation in SLSA Provenance v1.0 format including builder ID, build invocation, materials, outputs), (3) Provenance must be authenticated (signed). NOT required L1: tamper-resistance build, hermetic build, reproducible build, isolated build (those L2-L4). Sample L1 implementations: GitHub Actions native (slsa-github-generator), GitLab CI, CircleCI, Jenkins with SLSA plugin. Provenance format: in-toto Attestation Statement + SLSA Provenance v1.0 predicate (encoded JSON), includes buildType, externalParameters, internalParameters, resolvedDependencies, runDetails. Use case: establish baseline traceability minimum supply chain projects, ~30% additional effort vs no-SLSA, common adoption level.

Origin

SLSA initially published by Google (Software Supply Chain Integrity SSCS team) June 2021 ; donated to OpenSSF Linux Foundation September 2021 ; SLSA 1.0 published 2023 (levels rebrand) ; SLSA v1.0 spec stable ; ~1000+ OSS projects SLSA L1+.

Example in context

OSS Python package 'requests' build via GitHub Actions slsa-github-generator action: automatic CI build, provenance attestation v1.0 signed Cosign Sigstore, publish PyPI with attestation .intoto.jsonl side-by-side ; users can verify provenance via slsa-verifier CLI.

Last updated: May 16, 2026