SLSA-LEVEL-1
SLSA L1 build scripted + provenance attestation.
Définition
SLSA L1 requirements : (1) Build process scripted/automated (continuous integration pipeline, no manual local builds), (2) Provenance available (machine-readable attestation in SLSA Provenance v1.0 format including builder ID, build invocation, materials, outputs), (3) Provenance must be authenticated (signed). NOT required L1 : tamper-resistance build, hermetic build, reproducible build, isolated build (those L2-L4). Sample L1 implementations : GitHub Actions native (slsa-github-generator), GitLab CI, CircleCI, Jenkins with SLSA plugin. Provenance format : in-toto Attestation Statement + SLSA Provenance v1.0 predicate (encoded JSON), includes buildType, externalParameters, internalParameters, resolvedDependencies, runDetails. Use case : establish baseline traceability minimum supply chain projects, ~30% effort additional vs no-SLSA, common adoption level.
Origine
SLSA initialement publie par Google (Software Supply Chain Integrity SSCS team) juin 2021 ; donated OpenSSF Linux Foundation septembre 2021 ; SLSA 1.0 publie 2023 (rebrand levels) ; SLSA v1.0 spec stable ; ~1000+ projets OSS SLSA L1+.
Exemple en contexte
OSS Python package 'requests' build via GitHub Actions slsa-github-generator action : automatic build CI, provenance attestation v1.0 signed Cosign Sigstore, publish PyPI avec attestation .intoto.jsonl side-by-side ; users can verify provenance via slsa-verifier CLI.
Termes liés
- SLSA L2 — niveau superieur.