Slsa
Supply-chain Levels for Software Artifacts
Install / Use
/learn @slsa-framework/SlsaREADME
SLSA ("salsa") is Supply-chain Levels for Software Artifacts
<img align="right" src="https://github.com/slsa-framework/slsa/blob/main/www/images/slsa-dancing-goose-logo.svg" alt="The OpenSSF mascot, a goose in armor, strikes a pose wearing a red salsa dress">SLSA (pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.
Learning about SLSA
See https://slsa.dev to learn about SLSA.
What's in this repo?
The primary content of this repo is the spec/ directory which contains the core SLSA specification and the www/ directory which contains the sources of the slsa.dev website. See the README.md in that directory for instructions on how to build the site.
The spec/ folder on the main branch contains the current Draft specification.
The released versions of the spec are found in the same folder but on the corresponding
release branch (i.e., releases/v1.0, releases/v1.2, etc.)
This repository also hosts SLSA's main issue tracker, covering the website, specification, and overall project management. Other git repositories within the slsa-framework organization have repo-specific issue trackers.
How to get involved
See https://slsa.dev/community for ways to get involved in SLSA development.
Active workstreams
| Workstream | Shepherd | ---------- | ---------- | Build Level 4 | David A Wheeler (@david-a-wheeler) | Attested Build Environments Track | Marcela Melara (@marcelamelara), Pavel Iakovenko (@paveliak) | Source Track | Tom Hennen (@TomHennen) | Version 1.2 release | Arnaud J Le Hors (@lehors)
URL Aliases
We have several redirects configured on slsa.dev for convenience of the team:
- https://slsa.dev/gh ⇒ SLSA GitHub repo
- https://slsa.dev/gh/issues
- https://slsa.dev/gh/pulls
- etc...
- https://slsa.dev/notes ⇒ meeting notes
- https://slsa.dev/notes/community
- https://slsa.dev/notes/positioning
- https://slsa.dev/notes/specification (or .../spec)
- https://slsa.dev/notes/tooling
Governance
SLSA is an OpenSSF project. See slsa-framework/governance for governance information, including current steering committee members.
To include the steering committee on GitHub, use
@slsa-framework/slsa-steering-committee.
License
All SLSA specification content contributed following adoption of the Community Specification governance model is provided under the Community Specification License 1.0.
Pre-existing portions of the SLSA specification from contributors who have not subsequently contributed under the Community Specification License 1.0 following its adoption are provided under the Apache License 2.0.
<!-- Links -->