ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

SLSA-LEVEL-3

SLSA L3 hardened build + two-person review.

Definition

SLSA L3 requirements (cumulative L2): (1) Source: two-person reviewed mandatory (release branches protected via branch protection rules require >=1 reviewer approval, GitHub CODEOWNERS, GitLab merge approval), tag protection. (2) Build: hardened build process (build cannot influence its own provenance, isolation from other builds, isolation from user-controlled environment variables that could forge attestation, ephemeral runner per build). (3) Provenance non-falsifiable: build platform attests using key material not accessible to user-controlled build steps, attestation signed by build platform identity (not user). Existing implementations: GitHub Actions slsa-github-generator v2.x supports L3 via reusable workflows isolation, GitLab CI L3 via Composite Actions isolation, GoogleCloudBuild SLSA L3 Provenance native support. Use case: critical packages npm/PyPI/Docker Hub providers SLSA L3+, npm provider mandate planned 2025 by npm team.

Origin

SLSA L3 specification published 2021 by Google SSCS team ; L3 considered production-grade ; stable specifications SLSA 1.0 OpenSSF 2023 ; ~5% OSS projects reach L3 2024 but rapid growth.

Example in context

npm package 'lodash' (massive 200M+ downloads/week) achieves SLSA L3 via GitHub Actions slsa-github-generator v2 isolated reusable workflow + branch protection 2-person review main branch + ephemeral runners ; provenance signed by GitHub OIDC + Sigstore, attestation published npm registry.

Last updated: May 16, 2026