SLSA-LEVEL-1
SLSA L1 scripted build + provenance attestation.
Definition
SLSA L1 requirements: (1) Build process scripted/automated (continuous integration pipeline, no manual local builds), (2) Provenance available (machine-readable attestation in SLSA Provenance v1.0 format including builder ID, build invocation, materials, outputs), (3) Provenance must be authenticated (signed). NOT required L1: tamper-resistance build, hermetic build, reproducible build, isolated build (those L2-L4). Sample L1 implementations: GitHub Actions native (slsa-github-generator), GitLab CI, CircleCI, Jenkins with SLSA plugin. Provenance format: in-toto Attestation Statement + SLSA Provenance v1.0 predicate (encoded JSON), includes buildType, externalParameters, internalParameters, resolvedDependencies, runDetails. Use case: establish baseline traceability minimum supply chain projects, ~30% additional effort vs no-SLSA, common adoption level.
Origin
SLSA initially published by Google (Software Supply Chain Integrity SSCS team) June 2021 ; donated to OpenSSF Linux Foundation September 2021 ; SLSA 1.0 published 2023 (levels rebrand) ; SLSA v1.0 spec stable ; ~1000+ OSS projects SLSA L1+.
Example in context
OSS Python package 'requests' build via GitHub Actions slsa-github-generator action: automatic CI build, provenance attestation v1.0 signed Cosign Sigstore, publish PyPI with attestation .intoto.jsonl side-by-side ; users can verify provenance via slsa-verifier CLI.
Related terms
- SLSA L2 — next level up.