title | layout | hero_text |
---|---|---|
Get started |
standard |
If you’re looking to jump straight in and try SLSA, here’s a quick start guide for the steps to take to reach the first SLSA level. Level 1 ensures that you’re setting up the foundation of trust in a system and that all your applications are generating appropriate provenance data. It also sets a baseline to achieve higher SLSA compliance later, which we explain in detail below. |
Overview
This guide will help you achieve Level 1, and it should take less than a couple of hours for an individual project. The goals is to:
- Automate your builds
- Produce provenance data
The tools listed are optional resources only, there for demonstration and context-specific guidance.
Steps
- If you don't already use a build service or CI/CD, we recommend you set one up. This is not strictly required but it makes the following steps easier and is needed for higher levels. Consider using a service that is supported in the next step.
- Generate provenance during your build. The tools below might be useful. If your build service is not listed there, consider creating a plugin to generate provenance.
- Make the provenance available to your consumers. We don't yet have a standard convention for this. Best practises will develop as SLSA becomes more popular and we get more experience.
- You’re Level 1! Add the SLSA Level 1 badge to your project's readme.
Tools
- GitHub actions provenance generator (SLSA level 1)
- Azure DevOps provenance generator (SLSA level 1)
- Google Cloud Build (SLSA level 2)
- Sigstore Cosign for storing signed provenance
Once the foundations are in place with Level 1, you can start looking towards the higher levels to further strengthen artifact integrity with central monitoring, authentication and automated compilation, as well as more secure development practices. But there’s a few things to consider first:
Define your ideal state
Which level is most realistic, which is appropriate for your project in the short term and for your immediate needs? It can take years to achieve the ideal security state, so having intermediate milestones is important.
Not all projects require Level 4, and for others it’s impossible to achieve. If it seems unrealistic for your project, focus your efforts on Level 3 instead.
Make progress in parallel
You can progressively attain higher SLSA levels. Each artifact’s SLSA level is independent from one another, allowing parallel progress and prioritization based on risk.
Already at SLSA Level 1? Let us know what went well, what didn’t, and what could be improved. We’re developing new tools and onboarding resources to make the process even easier, so your contribution really goes a long way.
Leave a GitHub issueJoin the community