SLSA-LEVEL-3
SLSA L3 build hardened + two-person review.
Définition
SLSA L3 requirements (cumulative L2) : (1) Source : two-person reviewed obligatoire (release branches protected via branch protection rules require >=1 reviewer approval, GitHub CODEOWNERS, GitLab merge approval), tag protection. (2) Build : hardened build process (build cannot influence its own provenance, isolation from other builds, isolation from user-controlled environment variables that could forge attestation, ephemeral runner per build). (3) Provenance non-falsifiable : build platform attests using key material not accessible to user-controlled build steps, attestation signed by build platform identity (not user). Implementations existantes : GitHub Actions slsa-github-generator v2.x supports L3 via reusable workflows isolation, GitLab CI L3 via Composite Actions isolation, GoogleCloudBuild SLSA L3 Provenance native support. Use case : critical packages npm/PyPI/Docker Hub providers SLSA L3+, npm provider mandate planned 2025 by npm team.
Origine
SLSA L3 specification publie 2021 par Google SSCS team ; L3 considere production-grade ; specifications stable SLSA 1.0 OpenSSF 2023 ; ~5% OSS projects atteignent L3 2024 mais croissance rapide.
Exemple en contexte
npm package 'lodash' (massive 200M+ downloads/week) achieves SLSA L3 via GitHub Actions slsa-github-generator v2 isolated reusable workflow + branch protection 2-person review main branch + ephemeral runners ; provenance signed by GitHub OIDC + Sigstore, attestation publie npm registry.
Termes liés
- SLSA L4 — niveau maximal.