← Back to all briefings
Governance 5 min read Published Updated Credibility 90/100

Supply-Chain Briefing — Google and OpenSSF Introduce SLSA Framework

Google and the Open Source Security Foundation launched the Supply-chain Levels for Software Artifacts (SLSA) framework on June 21, 2021 to define progressive integrity requirements for source, build, and provenance security.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On Google and the Open Source Security Foundation (OpenSSF) introduced the Supply-chain Levels for Software Artifacts (SLSA) framework. SLSA establishes four assurance levels that cover source controls, build system hardening, and tamper-evident provenance so organisations can mitigate supply-chain compromise risks exposed by attacks such as SolarWinds and dependency hijacking.

Framework highlights

  • Levelled maturity. SLSA provides a staged roadmap from SLSA 1 (build provenance) through SLSA 4 (hermetic builds with two-person review) that teams can adopt iteratively.
  • Provenance attestation. Build systems must emit signed metadata describing source revisions, dependencies, and builders, enabling downstream verification.
  • Open reference tooling. The initiative released reference implementations and policy templates developers can adopt inside existing CI/CD platforms.

Implementation guidance

  • Assess current posture. Inventory build pipelines, artifact repositories, and release processes to determine baseline alignment with SLSA requirements.
  • Adopt provenance standards. Pilot Sigstore Fulcio/Rekor or in-house certificate authorities to sign artifacts and store tamper-resistant logs.
  • Map to compliance controls. Link SLSA practices to SOC 2 CC8, FedRAMP SA-12, and ISO/IEC 27001 A.14 requirements covering code integrity and change management.

Enablement moves

  • Educate development, release engineering, and security champions on SLSA levels, highlighting quick wins such as version-controlled builds and reproducibility.
  • Work with procurement to request SLSA attestations from critical software suppliers.
  • Embed SLSA checkpoints into internal SDLC policies, ensuring releases cannot proceed without signed provenance records.
Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • SLSA
  • Software supply chain
  • Provenance
  • OpenSSF
Back to curated briefings