SLSA-LEVEL-3
SLSA L3 hardened build + two-person review.
Definition
SLSA L3 requirements (cumulative L2): (1) Source: two-person reviewed mandatory (release branches protected via branch protection rules require >=1 reviewer approval, GitHub CODEOWNERS, GitLab merge approval), tag protection. (2) Build: hardened build process (build cannot influence its own provenance, isolation from other builds, isolation from user-controlled environment variables that could forge attestation, ephemeral runner per build). (3) Provenance non-falsifiable: build platform attests using key material not accessible to user-controlled build steps, attestation signed by build platform identity (not user). Existing implementations: GitHub Actions slsa-github-generator v2.x supports L3 via reusable workflows isolation, GitLab CI L3 via Composite Actions isolation, GoogleCloudBuild SLSA L3 Provenance native support. Use case: critical packages npm/PyPI/Docker Hub providers SLSA L3+, npm provider mandate planned 2025 by npm team.
Origin
SLSA L3 specification published 2021 by Google SSCS team ; L3 considered production-grade ; stable specifications SLSA 1.0 OpenSSF 2023 ; ~5% OSS projects reach L3 2024 but rapid growth.
Example in context
npm package 'lodash' (massive 200M+ downloads/week) achieves SLSA L3 via GitHub Actions slsa-github-generator v2 isolated reusable workflow + branch protection 2-person review main branch + ephemeral runners ; provenance signed by GitHub OIDC + Sigstore, attestation published npm registry.
Related terms
- SLSA L4 — maximum level.