Skip to content
Latchkey

What Is the SLSA Framework? Levels for Supply-Chain Integrity

SLSA (Supply-chain Levels for Software Artifacts) is a framework of graduated security levels that describe how trustworthy a build process is.

SLSA, pronounced "salsa," gives teams a ladder to climb toward a secure supply chain. Instead of a vague "be more secure," it defines concrete levels, each adding requirements around how artifacts are built, how their origin is recorded, and how tamper-resistant the process is. It turns supply-chain security into something you can target and audit.

The problem SLSA addresses

Most software is built by automated pipelines, and attackers increasingly target those pipelines rather than the source code. SLSA focuses on build integrity: proving an artifact was built from the expected source by the expected process, with no tampering in between.

The levels

  • Level 1: the build is scripted and produces provenance.
  • Level 2: provenance is signed by a hosted, authenticated build service.
  • Level 3: the build runs on a hardened, isolated platform resistant to tampering.
  • Higher levels add stronger guarantees of reproducibility and isolation.

Provenance at the core

Every SLSA level builds on provenance: verifiable metadata about how an artifact was produced. Higher levels demand that provenance be signed and that the build environment itself be hard to subvert.

How teams adopt it

Teams usually start at Level 1 by generating provenance in CI, then move up by signing it and running builds on a managed, isolated platform. Each step makes a forged or tampered artifact harder to slip into your release.

Where the build platform matters

Higher SLSA levels require a build environment an attacker cannot easily tamper with: hardened, isolated, and ephemeral. Managed runners that give every job a fresh, isolated environment (like Latchkey) align with the isolation and integrity SLSA expects at the upper levels.

Key takeaways

  • SLSA is a graduated framework of levels for software supply-chain integrity.
  • Each level adds requirements around provenance, signing, and build isolation.
  • Provenance and a hardened, isolated build platform underpin the higher levels.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →