Supply-Chain Briefing — Google and OpenSSF Introduce SLSA Framework

Executive briefing: On 21 June 2021 Google and the Open Source Security Foundation (OpenSSF) introduced the Supply-chain Levels for Software Artifacts (SLSA) framework. SLSA establishes four assurance levels that cover source controls, build system hardening, and tamper-evident provenance so organisations can mitigate supply-chain compromise risks exposed by attacks such as SolarWinds and dependency hijacking.

Framework highlights

• Levelled maturity. SLSA provides a staged roadmap from SLSA 1 (build provenance) through SLSA 4 (hermetic builds with two-person review) that teams can adopt iteratively.
• Provenance attestation. Build systems must emit signed metadata describing source revisions, dependencies, and builders, enabling downstream verification.
• Open reference tooling. The initiative released reference implementations and policy templates developers can adopt inside existing CI/CD platforms.

Implementation guidance

• Assess current posture. Inventory build pipelines, artifact repositories, and release processes to determine baseline alignment with SLSA requirements.
• Adopt provenance standards. Pilot Sigstore Fulcio/Rekor or in-house certificate authorities to sign artifacts and store tamper-resistant logs.
• Map to compliance controls. Link SLSA practices to SOC 2 CC8, FedRAMP SA-12, and ISO/IEC 27001 A.14 requirements covering code integrity and change management.

Enablement moves

• Educate development, release engineering, and security champions on SLSA levels, highlighting quick wins such as version-controlled builds and reproducibility.
• Work with procurement to request SLSA attestations from critical software suppliers.
• Embed SLSA checkpoints into internal SDLC policies, ensuring releases cannot proceed without signed provenance records.