What is SLSA provenance and how Chainloop helps you verify your SLSA compliance.
Requirement | Description | Chainloop Policy |
---|---|---|
slsa-build-l1-1 | Follows consistent build process: scripted, repeatable (e.g., GitHub Actions), low variability, includes Git commit SHA. | runner-automated (automatic) |
slsa-build-l1-2 | Ensures build is run on a dedicated infrastructure. | runner-automated (automatic) |
slsa-build-l1-3 | Provenance is distributed, preferably via ecosystem convention. | convention-agreed (manual evidence) |
Requirement | Description | Chainloop Policy |
---|---|---|
slsa-build-l2-1 | Build runs on dedicated infra, provenance is signed using keyless signing. | signature-present (automatic) |
slsa-build-l2-2 | Provenance is signed using keyless signing and the runner is authenticated via OIDC token. | signature-present , runner-authenticated (automatic) |
Requirement | Description | Chainloop Policy |
---|---|---|
slsa-build-l3-1 | Build platform prevents cross-run interference, even within the same project. | Automatic:runner-authenticated Manual evidence: build-platform-multifactor build-platform-isolated build-platform-connections build-platform-access build-platform-monitoring controls-build-platform-evidence |
slsa-build-l3-2 | Build platform provenance signature is verified. | Automatic:signature-present Manual evidence: build-platform-certificate controls-build-platfrom-secrets-evidence |
slsa-build-l3-1
is currently a mixture of manual and automatic checks in Chainloop with the
automation ensuring:
slsa-build-l3-2
is currently a mixture of manual and automatic checks in Chainloop with the
automation ensuring: