ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

SLSA-LEVEL-3

SLSA L3 build hardened + two-person review.

Définition

SLSA L3 requirements (cumulative L2) : (1) Source : two-person reviewed obligatoire (release branches protected via branch protection rules require >=1 reviewer approval, GitHub CODEOWNERS, GitLab merge approval), tag protection. (2) Build : hardened build process (build cannot influence its own provenance, isolation from other builds, isolation from user-controlled environment variables that could forge attestation, ephemeral runner per build). (3) Provenance non-falsifiable : build platform attests using key material not accessible to user-controlled build steps, attestation signed by build platform identity (not user). Implementations existantes : GitHub Actions slsa-github-generator v2.x supports L3 via reusable workflows isolation, GitLab CI L3 via Composite Actions isolation, GoogleCloudBuild SLSA L3 Provenance native support. Use case : critical packages npm/PyPI/Docker Hub providers SLSA L3+, npm provider mandate planned 2025 by npm team.

Origine

SLSA L3 specification publie 2021 par Google SSCS team ; L3 considere production-grade ; specifications stable SLSA 1.0 OpenSSF 2023 ; ~5% OSS projects atteignent L3 2024 mais croissance rapide.

Exemple en contexte

npm package 'lodash' (massive 200M+ downloads/week) achieves SLSA L3 via GitHub Actions slsa-github-generator v2 isolated reusable workflow + branch protection 2-person review main branch + ephemeral runners ; provenance signed by GitHub OIDC + Sigstore, attestation publie npm registry.

Termes liés

Dernière mise à jour: 16 mai 2026