-
Build your own SLSA 3+ provenance builder on GitHub Actions
by Andres Almiray (JReleaser), Adam Korczynski (Ada Logics), Philip Harrison (GitHub), Laurent Simon (Google) on 28 Aug 2023
It has been an exciting quarter for supply chain security and SLSA, with the release of the SLSA v1.0 specification, SLSA provenance support for npm, and the announcement of new SLSA Level 3 builders for Node.js and containers!
-
Announcing Container-based SLSA 3 Builder on GitHub Actions
by Asra Ali, Razieh Behjati, Tiziano Santoro (Google) on 13 Jun 2023
Following the recent launch of SLSA v1.0, we’re announcing a new, GitHub Actions workflow that achieves SLSA Build Track Level 3 for provenance generation. This lets users generate unforgeable provenance, allowing consumers to trust and verify how their software artifacts were built. The container-based SLSA 3 builder is the result of a collaboration between the Google Open Source Security Team (GOSST), the SLSA community, and Project Oak.
-
Bringing Improved Supply Chain Security to the Node.js Ecosystem
by Ian Lewis & Laurent Simon (Google), Fredrik Skogman (GitHub) on 11 May 2023
It has been a big month for supply chain security! GitHub recently announced the public beta for npm package provenance. This adds new functionality to npmjs.com and the npm CLI that allows package maintainers to generate and upload SLSA Build Level 2 provenance along with their packages. Integration with Sigstore enables verification of signature and certificate metadata so users know that the package came from the expected source repository.
-
in-toto and SLSA
Guest post by Aditya Sirish (NYU) and Tom Hennen (Google) representing the in-toto Community on 02 May 2023
As an adopter of SLSA, you have likely encountered the in-toto project. in-toto attestations are part of SLSA’s recommended suite for expressing software supply chain claims. As in-toto maintainers, we’ve interacted with a number of people who know of in-toto through SLSA but don’t fully understand the project. For example, some were surprised to learn that “in-toto isn’t just a format of attestations”, and that the framework also defines verification workflows that make use of attestations that are not SLSA Provenance. So, we decided to author this post as a quick primer on in-toto, how SLSA uses in-toto, and how other attestations can be used to complement SLSA.
-
SLSA v1.0 is now final!
by Mark Lodato on 19 Apr 2023
After almost two years since SLSA’s initial preview release, we are pleased to announce our first official stable version, SLSA v1.0! The full announcement can be found at the OpenSSF press release, and a description of changes can be found at What’s new in v1.0. Thank you to all members of the SLSA community who made this possible through your feedback, suggestions, discussions, and pull requests!
-
Announcing SLSA v1.0 Release Candidate 2
by SLSA Community on 04 Apr 2023
We’re excited to announce SLSA v1.0 Release Candidate 2 (RC2) following the valuable feedback we received on the first release candidate. This is intended to be the final release candidate before marking v1.0 as an Approved Specification.
-
The Breadth and Depth of SLSA
by Mike Lieberman on 03 Apr 2023
Interested in getting involved? Now’s the chance to provide your feedback on the foundational v1 release of the SLSA framework.
-
Announcing SLSA v1.0 Release Candidate
by Mark Lodato, Kris Kooi, Joshua Lock on 24 Feb 2023
Today, we are excited to announce the important milestone of a release candidate (RC) SLSA Specification. This is the first major update to SLSA since its v0.1 release in June 2021, and the RC finalizes multiple revisions to the SLSA specifications and requirements. We’re grateful for the huge community engagement that went into shaping this work.
-
General availability of SLSA 3 Container Generator for GitHub Actions
by Asra Ali, Ian Lewis, Laurent Simon on 01 Feb 2023
Today, we are announcing the general availability of the SLSA 3 Container Generator for GitHub Actions starting with v1.4.0. This free tool allows any GitHub project to produce SLSA level 3 compliant provenance statements so users can verify the origin of container images they use. While previous tools allowed users to generate provenance for file artifacts, the Container Generator is able to support container ecosystems. It does this by allowing provenance statements to be distributed alongside your images in a container registry and integrating directly with Sigstore-compatible tooling for inspection and verification.
-
Safeguarding builds on Google Cloud Build with SLSA
Guest post by Asra Ali, Ian Lewis, Laurent Simon, Stephen Anastos on 05 Dec 2022
Earlier this year, Google Cloud Build (GCB) announced support for Level 3 assurance of Supply-chain Levels for Software Artifacts (SLSA) for container images. Users can now automatically generate verifiable provenance documents (build records) of builds that take place in Cloud Build. Provenance can be used to provide assurance that a trusted builder (in this case, GCB) produced the resulting image through some declared process with trusted source material. To make verification effortless, we are announcing support for verifying the provenance document in the open-source slsa-verifier CLI tool, which previously only had support for GitHub Actions. With the slsa-verifier, everyone — not just the container authors — can verify the SLSA provenance document.
-
Executive Order on Secure Supply Chain — in Plain English
Guest post by Isaac Hepworth on 26 Sep 2022
You may have heard about EO 14028, the “Executive Order on Improving the Nation’s Cybersecurity”, which mandates the establishment of minimum supply chain security standards for all software consumed by the US government. On September 14th the White House Office of Management and Budget (OMB) issued a memorandum setting firm and aggressive timelines for implementation of guidelines stemming from the EO, and you might reasonably be wondering what it all means. If so, this post is for you. We’re going to try to lay it out in plain English and share steps to help you get ready to meet the timelines
-
General availability of SLSA3 Generic Generator for GitHub Actions
by Ian Lewis, Laurent Simon, Asra Ali on 29 Aug 2022
A few months ago Google and GitHub announced the release of a Go builder that would help software developers and consumers more easily verify the origins of software by using verification files known as provenance. Since then, the SLSA community has been working to enable provenance generation for other projects that may use any number of languages or build tools. Today, we’re pleased to announce that we’re adding a new tool to generate similar provenance documents for projects developed in any programming language, while keeping your existing building workflows.
-
All about that Base(line): How Cybersecurity Frameworks are Evolving with Foundational Guidance
Guest post by Jennifer Privette on 25 Jul 2022
In coordination with Aaron Bacchi, Emmy Eide, Melba Lopez, Brandon Lum, and Moshe Zioni
-
General Availability of SLSA 3 Go native builder for GitHub Actions
by Laurent Simon, Asra Ali, Ian Lewis, Mark Lodato, Jose Palafox, Joshua Lock on 20 Jun 2022
A couple of months ago, Google and GitHub demonstrated how to generate non-forgeable SLSA 3 provenance for packages/binaries created via GitHub Actions (1, 2). Since then, we’ve been working hard to turn the reference example into a production-ready system for everyone to use. Today, we’re announcing the v1 release of the trusted builders that can be used in GitHub Actions and verification tools.
-
SLSA for Success: Using SLSA to help achieve NIST’s SSDF
Guest post by Isaac Hepworth, Meder Kydyraliev, Brandon Lum on 15 Jun 2022
Since February’s release of the latest version of the Secure Software Development Framework’s (SSDF), software organizations have been poring over the dozens of best practices and tasks laid out by the National Institute of Standards and Technology (NIST) in response to last year’s Executive Order on Cybersecurity. Implementation is tough, though: the guidelines cover organizations of all sizes, cybersecurity sophistication, and operating environment. The descriptive requirements are not prioritized and explicitly not meant to be a checklist to follow. Each organization must find ways to interpret the recommendations for their particular needs.
-
SBOM + SLSA: Accelerating SBOM success with the help of SLSA
Guest post by Brandon Lum, Isaac Hepworth, Meder Kydyraliev on 02 May 2022
-
SLSA Is No Free Lunch
Guest post by Mike Lieberman on 11 Apr 2022
“What is SLSA?” followed closely by “What does SLSA do for me?” are the two most common questions I get when people learn about SLSA. This has led to a lot of confusion as to how folks apply SLSA, and the benefits they get. You can’t just apply SLSA practices to a pipeline that runs a build, generate a SLSA attestation and magically be protected from supply chain compromise. Contrary to a lot of the hype being thrown around, SLSA is no free lunch, and we must help protect our lunch!
-
Introducing the SLSA Blog
by SLSA Community on 08 Apr 2022
We’re excited to launch our very own blog, from which we will be posting project news, documentation, and other information about SLSA. Stay tuned for more posts coming your way soon.