<!DOCTYPE html> <html lang="en"><head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1" /><!-- Begin Jekyll SEO tag v2.8.0 --> <meta name="generator" content="Jekyll v3.9.5" /> <meta property="og:title" content="Get started" /> <meta property="og:locale" content="en_US" /> <meta name="description" content="If you’re looking to jump straight in and try SLSA, here’s a quick start guide for the steps to take to reach the different SLSA levels." /> <meta property="og:description" content="If you’re looking to jump straight in and try SLSA, here’s a quick start guide for the steps to take to reach the different SLSA levels." /> <meta property="og:site_name" content="SLSA" /> <meta property="og:image" content="/images/icons/android-chrome-192x192.png" /> <meta property="og:type" content="website" /> <meta name="twitter:card" content="summary_large_image" /> <meta property="twitter:image" content="/images/icons/android-chrome-192x192.png" /> <meta property="twitter:title" content="Get started" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"WebPage","description":"If you’re looking to jump straight in and try SLSA, here’s a quick start guide for the steps to take to reach the different SLSA levels.","headline":"Get started","image":"/images/icons/android-chrome-192x192.png","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"/images/icons/android-chrome-512x512.png"}},"url":"/get-started"}</script> <!-- End Jekyll SEO tag --> <link rel="stylesheet" href="/vendor/tailwindcss-2.2.19/tailwind.min.css"> <link rel="stylesheet" href="/assets/main.css"> <link rel="apple-touch-icon" sizes="180x180" href="/images/icons/apple-touch-icon.png"> <link rel="icon" type="image/png" sizes="32x32" href="/images/icons/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/images/icons/favicon-16x16.png"> <link rel="icon" type="image/png" sizes="16x16" href="/images/icons/favicon-16x16.png"> <link rel="icon" type="image/x-icon" href="/images/icons/favicon.ico"> <link rel="mask-icon" href="/images/icons/safari-pinned-tab.svg" color="#5bbad5"> <meta name="msapplication-TileColor" content="#da532c" /> <meta name="msapplication-square150x150logo" content="/images/icons/mstile-150x150.png" /> <meta name="theme-color" content="#ffffff" /> <title>SLSA • Get started</title> <link rel="stylesheet" href="/fonts/inter/inter.css"> <link rel="stylesheet" href="/fonts/ibm_plex/IBMPlexMono-Regular.css"> <link rel="stylesheet" href="/fonts/prodigy/ProdigySans.css"> <script src="/vendor/swiper-6.8.4/swiper-bundle.min.js"></script> <link rel="stylesheet" href="/vendor/swiper-6.8.4/swiper-bundle.min.css"> <script defer src="/vendor/alpinejs-3.10.2/cdn.min.js"></script><link type="application/atom+xml" rel="alternate" href="/feed.xml" title="SLSA" /></head> <body x-data="{navOpen: false}" x-init="$refs.body.style.setProperty('--scrollbar-width', `${window.innerWidth - document.body.offsetWidth}px`)" x-ref="body" ><aside class="site-aside flex flex-col flex-none" :class="{'is-open': navOpen}" > <div class="aside-header p-5 flex justify-between items-center show-laptop"> <a rel="author" href="/" class="logo block"> <img class="logo-white" src="/images/logo.svg" alt="SLSA logo" /> </a> <a class="desktop-github-icon" href="https://github.com/slsa-framework/slsa" target="_blank"> <svg width="22" height="22" viewBox="0 0 22 22" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" /> </svg> </a> </div> <div class="aside-content px-5 py-1 flex-1 overflow-auto"> <select id="redirectSelect.show-laptop" disabled class="select-dropdown p-1 mx-1 my-4 opacity-0 show-laptop border-gray-400"> <option selected value="" class="inline-block"></option> </select> <nav class="site-nav"><ul><li> <a class="nav-link" href="/spec/v1.0/"> Overview </a> </li><li> <span class="section-title">Understanding SLSA</span> <ul><li> <a class="nav-link" href="/spec/v1.0/whats-new"> What&#39;s new in v1.0 </a> </li><li> <a class="nav-link" href="/spec/v1.0/about"> About SLSA </a> </li><li> <a class="nav-link" href="/spec/v1.0/threats-overview"> Supply chain threats </a> </li><li> <a class="nav-link" href="/spec/v1.0/use-cases"> Use cases </a> </li><li> <a class="nav-link" href="/spec/v1.0/principles"> Guiding principles </a> </li><li> <a class="nav-link" href="/spec/v1.0/faq"> FAQ </a> </li><li> <a class="nav-link" href="/spec/v1.0/future-directions"> Future directions </a> </li> </ul> </li><li> <span class="section-title">Core specification</span> <ul><li> <a class="nav-link" href="/spec/v1.0/terminology"> Terminology </a> </li><li> <a class="nav-link" href="/spec/v1.0/levels"> Security levels </a> </li><li> <a class="nav-link" href="/spec/v1.0/requirements"> Producing artifacts </a> </li><li> <a class="nav-link" href="/spec/v1.0/distributing-provenance"> Distributing provenance </a> </li><li> <a class="nav-link" href="/spec/v1.0/verifying-artifacts"> Verifying artifacts </a> </li><li> <a class="nav-link" href="/spec/v1.0/verifying-systems"> Verifying build platforms </a> </li><li> <a class="nav-link" href="/spec/v1.0/threats"> Threats &amp; mitigations </a> </li> </ul> </li><li> <span class="section-title">Attestation formats</span> <ul><li> <a class="nav-link" href="/attestation-model"> General model </a> </li><li> <a class="nav-link" href="/spec/v1.0/provenance"> Provenance </a> </li><li> <a class="nav-link" href="/spec/v1.0/verification_summary"> Verification Summary </a> </li> </ul> </li><li> <span class="section-title">How to SLSA</span> <ul><li> <a class="nav-link is-active" href="/get-started"> For developers </a> </li><li> <a class="nav-link" href="/how-to-orgs"> For organizations </a> </li><li> <a class="nav-link" href="/how-to-infra"> For infrastructure providers </a> </li> </ul> </li><li> <a class="nav-link" href="/spec-stages"> Specification stages </a> </li><li> <a class="nav-link" href="/community"> Community </a> </li><li> <a class="nav-link" href="/blog"> Blog </a> </li><li> <a class="nav-link" href="/spec/v1.0/onepage"> Single-page view </a> </li> </ul> </nav> </div> </aside> <div class="site-main"> <header class="site-header flex-none" x-data="{ fixed: false, hidden: false, lastPos: window.scrollY, scrolledPast: false }" x-ref="navbar" x-on:scroll.window=" fixed = window.scrollY > lastPos ? window.scrollY >= $refs.navbar.offsetHeight : window.scrollY > 0; hidden = fixed && window.scrollY > lastPos; if (window.scrollY > $refs.navbar.offsetHeight && !scrolledPast) { setTimeout(() => $refs.navbar.classList.add('is-scrolled-past'), 500); scrolledPast = true; } else if (window.scrollY === 0) { $refs.navbar.classList.remove('is-scrolled-past'); scrolledPast = false; } lastPos = window.scrollY; " x-bind:class="{ 'is-fixed': fixed, 'is-hidden': hidden, 'menu-open': navOpen }" > <div class="site-header-inner h-full flex items-center gap-5" > <button x-on:click="navOpen = !navOpen" :class="{ 'active': navOpen }" class="mobile-menu-button inline-block hide-laptop"> <span></span> <span></span> <span></span> </button> <a rel="author" href="/" class="logo block"> <img class="logo-white" src="/images/logo.svg" alt="SLSA logo" /> </a> <select id="redirectSelect.hide-laptop" disabled class="select-dropdown p-1 mx-1 my-4 opacity-0 hide-laptop border-gray-400"> <option selected value="" class="inline-block"></option> </select> <a class="desktop-github-icon ml-auto" href="https://github.com/slsa-framework/slsa" target="_blank"> <svg width="22" height="22" viewBox="0 0 22 22" fill="currentColor" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" /> </svg> </a> </div> </header> <main class="site-clamp" aria-label="Content"> <header class="content-header"> <h1 class="mb-16">Get started</h1> </header> <div class="site-content has-toc"> <aside class="table-of-contents flex flex-col"> <div class="flex-auto rounded-lg p-4 border border-green-900 overflow-auto"> <p class="header-small uppercase">On this page</p> <ul><li><a href="#choosing-your-slsa-level">Choosing your SLSA level</a><ul><li><a href="#provenance-verification">Provenance verification</a></li><li><a href="#provenance-formatting">Provenance formatting</a></li><li><a href="#provenance-storage">Provenance storage</a></li></ul></li><li><a href="#slsa-1">SLSA 1</a><ul><li><a href="#tooling">Tooling</a></li><li><a href="#build-platform-plugins-or-extensions">Build platform plugins or extensions</a></li><li><a href="#build-observers-with-hosted-platforms">Build observers with hosted platforms</a></li></ul></li><li><a href="#slsa-2">SLSA 2</a></li><li><a href="#slsa-3">SLSA 3</a><ul><li><a href="#github-actions">GitHub Actions</a></li></ul></li><li><a href="#builder-slsa-levels">Builder SLSA levels</a></li></ul> </div> </aside> <div class="content main-content"> <p>If you’re looking to jump straight in and try SLSA, here’s a quick start guide for the steps to take to reach the different SLSA levels.</p> <h2 id="choosing-your-slsa-level">Choosing your SLSA level</h2> <p>For all <a href="/spec/v1.0/levels">SLSA levels</a>, you follow the same steps:</p> <ol> <li>Generate provenance, i.e., document your build process</li> <li>Make the provenance available, to allow downstream users to verify it</li> </ol> <p>What differs for each level is the robustness of the build and provenance. For more information about provenance see <a href="/provenance/">https://slsa.dev/provenance/</a>.</p> <p>The tools discussed in this guide are freely available and believed to meet SLSA expectations. The <a href="#builder-slsa-levels">Builder SLSA levels section</a> provides a more complete list. If you think a build option is misclassified or want to add one, please <a href="https://github.com/slsa-framework/slsa/issues">open an issue</a> or <a href="https://github.com/slsa-framework/slsa/pulls">submit a PR</a> against this page.</p> <p>SLSA levels are progressive: SLSA 3 includes all the guarantees of SLSA 2, and SLSA 2 includes all the guarantees of SLSA 1. Currently, though, the work required to achieve lower SLSA levels will not necessarily accrue toward the work needed for higher levels, because achieving a higher level may require migrating to a different build platform altogether. For that reason, <strong>you should start with the highest level that’s possible for your project or organization to avoid wasted work</strong>.</p> <p>The SLSA level you implement depends on your current build situation:</p> <ul> <li>If you are using GitHub Actions, jump directly to <a href="#SLSA3">SLSA 3</a>. You do not need to implement SLSA 1 or SLSA 2.</li> <li>If you are using <a href="https://github.com/buildsec/frsca">FRSCA</a>, jump to <a href="#SLSA2">SLSA 2</a>. You do not need to implement SLSA 1.</li> <li>If you’re using any other build platform, consult its documentation to find out what SLSA level it supports and how to proceed. If your build platform doesn’t support the SLSA level you are aiming for or you do not use any build platform, you should consider adopting one that does, such as GitHub Actions and FRSCA discussed below.</li> </ul> <h3 id="provenance-verification">Provenance verification</h3> <p>Various build methods require different methods to verify provenance. The SLSA community already has some verification methods and is working on additional solutions for provenance verification. Even if there is currently no simple verification method for a particular build platform, adopting these builders now means you will be “SLSA ready” when more ecosystem tooling is released. Note that when you create provenance, you must supply to users a method for interpreting what you have created.</p> <h3 id="provenance-formatting">Provenance formatting</h3> <p>Your provenance format depends on who will be consuming it. See <a href="/provenance">provenance</a> for an explanation of which format to choose.</p> <h3 id="provenance-storage">Provenance storage</h3> <p>Containers have a standard place to put the provenance in the OCI container registry. With time, the SLSA community hopes to create standard ecosystem-based repositories for provenance. For now, the convention is to keep the provenance attestation with your artifact. Though <a href="https://www.sigstore.dev/">Sigstore</a> is becoming more and more popular, the format of the provenance is currently tool-specific.</p> <p><a id="SLSA1"></a></p> <h2 id="slsa-1">SLSA 1</h2> <p>As mentioned before, if you don’t already use a build platform or CI/CD, you should consider adopting a platform that supports SLSA 2 or SLSA 3. This will make the following steps easier and provide for higher SLSA levels later on. Individual developers who wish to put a minimal amount of security on their builds can use SLSA 1.</p> <p>SLSA 1 requires that the build process is documented. Some tools suggested below also support signed provenance. Though not required for SLSA 1, signing your provenance increases trust in the document by showing that it has not been tampered with.</p> <h3 id="tooling">Tooling</h3> <p>A build configuration file (i.e., GitHub workflow) qualifies for SLSA 1. It would be considered unsigned, unformatted provenance.</p> <h3 id="build-platform-plugins-or-extensions">Build platform plugins or extensions</h3> <p>The following options work with your build platform to produce unsigned, formatted provenance. They do not qualify for SLSA 2 because they are unsigned and not run by the hosted server:</p> <ul> <li><a href="https://github.com/slsa-framework/azure-devops-demo">Azure DevOps extension</a></li> <li><a href="https://github.com/slsa-framework/slsa-jenkins-generator">Jenkins SLSA generator</a></li> <li><a href="https://plugins.jenkins.io/in-toto/">Jenkins plugin</a></li> </ul> <p>Downstream users may verify the provenance with <a href="https://cuelang.org/docs/">Cue Policies</a>.</p> <h3 id="build-observers-with-hosted-platforms">Build observers with hosted platforms</h3> <p>The following options are user-configured inside a hosted platform. They observe the build process and produce signed, formatted provenance. These options do not qualify for SLSA 2 because they are configured by users, not the hosted platform.</p> <p>Downstream users may verify the provenance with Cue policies and the signature with Cosign.</p> <p><strong>Note:</strong> If you are using one of these options with GitHub Actions, jump to SLSA 3 and use the builder itself to generate provenance.</p> <ul> <li>If you’re using <a href="https://github.com/kubernetes-sigs/tejolote">Tejolote</a> with GitHub Actions, jump to SLSA 3 and generate provenance directly from the builder.</li> <li><a href="https://tekton.dev/docs/chains/signed-provenance-tutorial/">Tekton Chains</a> – custom resource definition controller that can generate provenance for Kubernetes OCI containers</li> </ul> <p><a id="SLSA2"></a></p> <h2 id="slsa-2">SLSA 2</h2> <p>To achieve SLSA 2, the goals are to:</p> <ul> <li>Run your build on a hosted platform that generates and signs provenance</li> <li>Publish the provenance to allow downstream users to verify it</li> </ul> <p>The following is a SLSA 2 builder:</p> <ul> <li><a href="https://github.com/buildsec/frsca">Factory for Repeatable Secure Creation of Artifacts (FRSCA)</a></li> </ul> <p>FRSCA is an OpenSSF project that aims at offering a full build pipeline. It is not yet generally available. It qualifies as a SLSA 2 builder because regular users of the platform are not able to inject or alter the contents of the provenance it generates. FRSCA produces signed, formatted provenance that can be verified by the generic SLSA verifier.</p> <p><a id="SLSA3"></a></p> <h2 id="slsa-3">SLSA 3</h2> <p>To achieve SLSA 3, you must:</p> <ul> <li>Run your build on a hosted platform that generates and signs provenance</li> <li>Ensure that build runs cannot influence each other</li> <li>Produce signed provenance that can be verified as authentic</li> </ul> <h3 id="github-actions">GitHub Actions</h3> <p>If you are building on GitHub Actions, adopt the <a href="https://github.com/slsa-framework/slsa-github-generator">Language-agnostic GitHub provenance generator / builder</a> to make your build qualify for SLSA 3. Consumers can use the <a href="https://github.com/slsa-framework/slsa-verifier">Generic SLSA Verifier</a> for provenance verification.</p> <h2 id="builder-slsa-levels">Builder SLSA levels</h2> <p>The following table shows known build software packages and the potential SLSA level they are believed to qualify for. Potential levels are reached with proper provenance. Again, if you think a build option is misclassified or want to add one, please <a href="https://github.com/slsa-framework/slsa/issues">open an issue</a> or <a href="https://github.com/slsa-framework/slsa/pulls">submit a PR</a> against this page.</p> <p>Note that this list is provided “as is”. OpenSSF makes no claim as to the reliability of this information. A certification program is under development to provide a more definitive list.</p> <table> <thead> <tr> <th>Builder</th> <th align="center">Potential SLSA Level</th> </tr> </thead> <tbody> <tr> <td>FRSCA</td> <td align="center">2</td> </tr> <tr> <td>GitHub Actions</td> <td align="center">3</td> </tr> <tr> <td>Google Cloud Build</td> <td align="center">3</td> </tr> <tr> <td>No Hosted Build Platform</td> <td align="center">1</td> </tr> </tbody> </table> </div> </div> </main><footer class="site-footer flex-none h-card text-white"> <div class="site-clamp py-4 flex flex-wrap items-start justify-between w-full"> <div class="w-full md:w-1/3 mb-8 md:mb-0"> <p><strong>SLSA is a cross-industry collaboration.</strong><br> © 2024 The Linux Foundation, under the terms of the <a href="https://github.com/slsa-framework/governance">Community Specification License 1.0</a></p> </div> <div class="w-full md:w-1/3 mb-8 md:mb-0"> <p><strong>Privacy statement</strong><br> We use <a href="https://goatcounter.com">GoatCounter</a> to help us improve our website by collecting and reporting information on how it's used. We do not store advertising or tracking cookies. The information we collect does not identify anyone and does not track an individual's use of the site.</p> </div> <div class="w-full md:w-1/4 mb-8 md:mb-0 flex md:justify-end"> <p> <a href="https://github.com/slsa-framework/slsa/blob/910587ad00cc1f893b1e1ef6af3fb00c382e72f3/docs/get-started.md?plain=1" target="_blank" class="flex gap-4 h5 font-normal"> View source on GitHub <svg width="22" height="22" viewBox="0 0 22 22" fill="none" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M11.2344 0.150879C5.28641 0.150879 0.468811 4.96848 0.468811 10.9165C0.468811 15.6803 3.55046 19.7039 7.82978 21.1303C8.36806 21.2245 8.56991 20.9016 8.56991 20.619C8.56991 20.3633 8.55646 19.5155 8.55646 18.6139C5.8516 19.1118 5.15184 17.9545 4.93653 17.3489C4.81541 17.0394 4.29059 16.084 3.83306 15.8283C3.45626 15.6264 2.91798 15.1285 3.8196 15.1151C4.66739 15.1016 5.27295 15.8956 5.47481 16.2185C6.44371 17.8468 7.99126 17.3893 8.61028 17.1067C8.70448 16.4069 8.98708 15.9359 9.29659 15.6668C6.90125 15.3977 4.39825 14.4691 4.39825 10.3513C4.39825 9.18051 4.81541 8.21161 5.50172 7.45802C5.39407 7.18888 5.01727 6.08541 5.60938 4.60514C5.60938 4.60514 6.51099 4.32254 8.56991 5.70861C9.43116 5.46639 10.3462 5.34527 11.2613 5.34527C12.1764 5.34527 13.0914 5.46639 13.9527 5.70861C16.0116 4.30909 16.9132 4.60514 16.9132 4.60514C17.5053 6.08541 17.1285 7.18888 17.0209 7.45802C17.7072 8.21161 18.1244 9.16706 18.1244 10.3513C18.1244 14.4826 15.6079 15.3977 13.2126 15.6668C13.6028 16.0032 13.9392 16.6492 13.9392 17.6584C13.9392 19.0983 13.9258 20.2556 13.9258 20.619C13.9258 20.9016 14.1276 21.238 14.6659 21.1303C16.8031 20.4088 18.6602 19.0353 19.9758 17.2031C21.2915 15.3708 21.9994 13.1721 22 10.9165C22 4.96848 17.1824 0.150879 11.2344 0.150879Z" fill="white"/> </svg> </a> <br> This site is powered by <a href="https://www.netlify.com">Netlify</a> </p> </div> </div> <div class="site-clamp py-4 flex items-start justify-between w-full mb-16 md:mb-0"> <a rel="author" href="/"><img src="/images/logo.svg" alt="SLSA logo" /></a> </div> </footer> </div> </body> </html>