What is SLSA (Supply-chain Levels for Software Artifacts)?

Updated May 1, 2026

Google-led standard defining 4 levels of supply-chain integrity. Securie produces SLSA Level 3 provenance via the attestation chain.

Full explanation

SLSA Levels 1-4 define increasing requirements: (1) build process documented, (2) tamper-resistant build, (3) hardened build platform + non-falsifiable provenance, (4) hermetic + reproducible builds. Securie's DSSE-signed in-toto v1 attestation chain meets SLSA Level 3 requirements for provenance.

Example

Build pipeline runs Securie scan + signs the result + publishes provenance + builds artifact. Downstream consumer verifies provenance against expected build-platform signature.

FAQ

How does SLSA relate to SBOM?

SLSA = how the artifact was built (provenance). SBOM = what's in the artifact (components). Both required for supply-chain transparency.