ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

SLSA-LEVEL-1

SLSA L1 build scripted + provenance attestation.

Définition

SLSA L1 requirements : (1) Build process scripted/automated (continuous integration pipeline, no manual local builds), (2) Provenance available (machine-readable attestation in SLSA Provenance v1.0 format including builder ID, build invocation, materials, outputs), (3) Provenance must be authenticated (signed). NOT required L1 : tamper-resistance build, hermetic build, reproducible build, isolated build (those L2-L4). Sample L1 implementations : GitHub Actions native (slsa-github-generator), GitLab CI, CircleCI, Jenkins with SLSA plugin. Provenance format : in-toto Attestation Statement + SLSA Provenance v1.0 predicate (encoded JSON), includes buildType, externalParameters, internalParameters, resolvedDependencies, runDetails. Use case : establish baseline traceability minimum supply chain projects, ~30% effort additional vs no-SLSA, common adoption level.

Origine

SLSA initialement publie par Google (Software Supply Chain Integrity SSCS team) juin 2021 ; donated OpenSSF Linux Foundation septembre 2021 ; SLSA 1.0 publie 2023 (rebrand levels) ; SLSA v1.0 spec stable ; ~1000+ projets OSS SLSA L1+.

Exemple en contexte

OSS Python package 'requests' build via GitHub Actions slsa-github-generator action : automatic build CI, provenance attestation v1.0 signed Cosign Sigstore, publish PyPI avec attestation .intoto.jsonl side-by-side ; users can verify provenance via slsa-verifier CLI.

Termes liés

Dernière mise à jour: 16 mai 2026