This is a working draft. This document may be modified, replaced, or discarded at any time.

Version 1.2 is the current version. See the Version 1.2 documentation.

What's new

This document describes the major changes brought by this Working Draft relative to the prior release, [v1.1].

Summary of changes

  • Consolidated all SLSA terminology definitions into one file.
  • Addition of the Build Environment Track which helps organizations validate the integrity and trace the provenance of core build platform components.
  • Addition of the Dependencies Track which enables a software producer to measure, control, and reduce risk introduced from third party dependencies.
  • Updated the Source Track which helps organizations secure their source code development process and consumers establish trust in that source.
  • Updated Cross-Track Threats and Mitigations to account for the threats mitigated by the new tracks.
  • Improved the structure of the spec to accomodate multiple tracks.
  • Addition of SLSA Verified Properties that allows software supply chain controls that don’t fit neatly within existing SLSA levels or that do exist within SLSA levels but where their is utility in recognizing the specific control while the software might not meet all the other requirements of that level.
‹ SLSA Working Draft About SLSA ›