SLSA (pronounced "salsa") is security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity.
The best way to read about SLSA is to visit slsa.dev.
The fun way to get a taste of SLSA is to check out the Operation SLSA videos.
The primary content of this repo is the docs/ directory, which contains the core SLSA specification and sources to the slsa.dev website.
You can read SLSA's documentation here:
- Levels (Defining the framework)
- Requirements (How to attain compliance)
- Use cases
- Our roadmap
SLSA is currently in alpha. The framework is constantly being improved. We encourage the community to try adopting SLSA levels incrementally and to share your experiences back to us.
SLSA is currently led by an initial cross-organization, vendor-neutral steering committee. This committee is:
- Bruno Domingues - Intel
- David A. Wheeler - Linux Foundation
- Joshua Lock - VMware
- Mark Lodato - Google
- Mike Lieberman - Citi/CNCF
- Trishank Karthik Kuppusamy - Datadog
- Zak Greant - ActiveState
Shortcut to notify the steering committee on any issues/PRs:
@slsa-framework/teams/slsa-steering-committee
We rely on feedback from other organizations to evolve SLSA and be more useful to more people. We’d love to hear your experiences using it.
Are the levels achievable in your project? Would you add or remove anything from the framework? What else is needed before you can adopt it?
- If you want to discuss the framework, Github issues are the way.
- If you want to contribute to the framework take a look at our contribution guidelines.
- We meet bi-weekly on Wednesdays at 9am PT. Anyone is welcome to join, whether to listen or to contribute. Here's the invite.
- We're part of the OpenSSF Digital Identity Attestation Working Group. The OpenSSF community calendar is here.
- Our mailing list is [email protected].
- You can join our chat on the OpenSSF Slack here