| Enforced change management process |
+
+The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions)
+
+1. Are discoverable by authorized users of the repo.
+2. Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
+
+For example, this could be accomplished by:
-The repo must define how the content of a [branch](#definitions) is allowed to change.
-This is typically done via the configuration of branch protection rules.
-It MUST NOT be possible to modify the content of a branch without following its documented process.
+- Via the configuration of branch protection rules (e.g.[GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule), [GitLab](https://docs.gitlab.com/ee/user/project/repository/branches/protected.html)), or
+- via application and verification of [gittuf](https://github.com/gittuf/gittuf) policies, or
+- some other mechanism as enforced by the [Change management tool](#change-management-tool-requirements).
-SLSA Source Level 2 ensures that all changes are recorded and attributable to an actor.
-SLSA Source Level 3 ensures that the documented process was followed.
| | | ✓
## Change management tool requirements
-The change management tool MUST be able to authoritatively state that each new revision reachable from the protected branch represents only the changes managed via the process.
+The change management tool MUST be able to authoritatively state that each new revision reachable from the protected branch represents only the changes managed via the [process](#change-management-process).
| Requirement | Description | L1 | L2 | L3
|
|---|
|