Supply Chain Levels for Software Artifacts Recommendations
As a general rule of guidance, the project may ask the following questions to determine the Supply Chain Levels for Software Artifacts (SLSA) compliance level.
SLSA Level 1
The focus is on documenting the build and artifact release process. The goal is to have an audit record of incorporating new processes.
- Is the build environment and tools documented?
- Is the project leveraging automated security checks to identify vulnerabilities in the build process?
- Is there version control in place for the source code and build scripts?
- Are all changes to the build process tracked and reviewed by authorized personnel?
- Do you have a release process, and are you granting access only to the maintainers, following the principles of least privilege for generating the artifacts?
SLSA Level 2
The focus is to ensure that the artifacts generated are verifiable. Any tampering in the generated artifacts must be caught by the user of the artifacts.
- Is the signing process incorporated for the artifacts?
- Is the signing integrated into the CI pipeline?
- Is auditing in place for regularly monitoring and auditing the signing practices and build process?
- Is a trusted tool (e.g., cosign) used to sign the artifacts?
- Is the build process reproducible, ensuring that the build generates consistent artifacts from the same source code?
- Is there provenance metadata that details how each artifact was built and its dependencies?
SLSA Level 3
The focus is to ensure that the build environment is verified and trusted.
- Is there access control implemented to secure the build environment?
- Do you validate the signatures and checksums of all dependencies before ingesting them in the build stage?
- Do you sign the output of every step in your build pipeline to provide a verifiable guarantee?
- Do you use separate build workers/containers for each step in your build pipeline?
- Do you network isolate your build workers and pipeline as much as possible?
- Are you securing the keys and injecting them just in time?
- Are you leveraging an immutable record for the verification of signed artifacts?