slsa
Safeguard articles tagged "slsa" — guides, analysis, and best practices for software supply chain and application security.
77 articles
SLSA Build L1 to L3 Migration Playbook
Moving from SLSA Build L1 to L3 is less a single upgrade and more a series of hardening steps. Here is the playbook we use with customers, mapped to the v1.0 specification.
What is a Software Attestation
A software attestation is a signed, machine-readable claim about an artifact — who built it, what it contains, which checks it passed — that a machine can verify before trusting it.
How to Publish an npm Package With Provenance
A step-by-step tutorial for publishing npm packages with provenance attestations so your consumers can cryptographically verify the build source.
RSA Conference 2023 Supply Chain Track: Field Notes
Five takeaways from the supply chain sessions at RSA Conference 2023, from SBOM adoption skepticism to attestation tooling and federal procurement pressure.
SLSA v1.0: Software Provenance Attestation Goes Mainstream
The SLSA framework reached v1.0 in April 2023, providing a practical framework for software supply chain integrity that's already being adopted by major package registries.
Reproducible Builds in the Go Ecosystem
Go's toolchain makes reproducible builds unusually tractable. Here is how to reach bit-for-bit builds across machines in 2023, and where the rough edges remain.
How Google Secures Its Software Supply Chain
An inside look at Google's multi-layered approach to supply chain security, from Binary Authorization to SLSA, and what other organizations can adapt from their model.
SLSA v1.0: Supply-chain Levels for Software Artifacts Reaches Maturity
SLSA v1.0 simplifies the framework and makes it practical to adopt. Here's what changed and how to implement it.
Software Attestation in Practice: From Theory to Implementation
Software attestation is moving from academic concept to practical requirement. Here's how to implement it in your build pipelines today.
Defense in Depth for the Software Supply Chain
No single control stops supply chain attacks. Defense in depth — layered controls across the entire software lifecycle — is the only strategy that works against sophisticated adversaries.
SLSA vs SSDF vs S2C2F: Framework Comparison
Three supply chain integrity frameworks. Three different authors. Three different audiences. A practical comparison of SLSA, NIST SSDF, and Microsoft S2C2F for teams picking one.
Build Artifact Integrity Verification: From Source to Deployment
If you cannot verify that your deployed artifact matches your reviewed source code, your entire code review process is security theater. Here is how to close that gap.