SLSA仕様
SLSA は、サプライ チェーンのセキュリティを記述し、段階的に改善するための仕様であり、業界の合意によって確立されています。これは、セキュリティ保証の強化を説明する一連のレベルに編成されています。
これは SLSA 仕様のversion 1.0 であり、SLSA レベルと、出所を含む推奨される認証形式を定義しています。
Understanding SLSA
These pages provide an overview of SLSA, how it helps protect against common supply chain attacks, and common use cases. If you’re new to SLSA or supply chain security, start here.
| Page | Description |
|---|---|
| What’s new in v1.0 | What’s new in SLSA Version 1.0 |
| About SLSA | An introductory guide to SLSA |
| Supply chain threats | An introduction to supply chain threats |
| Use cases | Use cases |
| Guiding principles | Use cases |
| FAQ | Questions and more information |
| Future directions | Additions and changes being considered for future SLSA versions |
Core specification
These pages describe SLSA’s security levels and requirements for each track. If you want to achieve SLSA a particular level, these are the requirements you’ll need to meet.
| Page | Description |
|---|---|
| Terminology | Terminology and model used by SLSA |
| Security levels | Overview of SLSA’s tracks and levels, intended for all audiences |
| Producing artifacts | Detailed technical requirements for producing software artifacts, intended for platform implementers |
| Distributing provenance | Detailed technical requirements for distributing provenance, intended for platform implementers and software distributors |
| Verifying artifacts | Guidance for verifying software artifacts and their SLSA provenance, intended for platform implementers and software consumers |
| Verifying build platforms | Guidelines for securing SLSA Build L3+ builders, intended for platform implementers |
| Threats & mitigations | Detailed information about specific supply chain attacks and how SLSA helps |
Attestation formats
These pages include the concrete schemas for SLSA attestations. The Provenance and VSA formats are recommended, but not required by the specification.
| Page | Description |
|---|---|
| General model | General attestation mode |
| Provenance | Suggested provenance format and explanation |
| VSA | Suggested VSA format and explanation |
How to SLSA
These instructions tell you how to apply the core SLSA specification to use SLSA in your specific situation.
| Page | Description |
|---|---|
| For developers | How to apply SLSA requirements to your build |
| For organizations | How to apply SLSA to an organization |
| For infrastructure providers | How to implement SLSA in source, build, and package platforms |