doc/ci/pipeline_security/slsa/_index.md
Supply-chain Levels for Software Artifacts (SLSA), pronounced "salsa", is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The standard is defined in terms of artifact producers, verifiers, consumers, and infrastructure providers.
GitLab, as an infrastructure provider, provides tools for users to securely produce metadata associated with containers and artifacts. Additionally, GitLab provides mechanisms to verify and safely use this metadata to harden supply chains and prevent some attack types.
GitLab can produce provenance attestations compliant with the SLSA specification at different levels. Achieving specific levels requires self-assessment against specific criteria.
For more information, see the SLSA Build: Track Basics page.
SLSA level 1 requires automatically generated provenance that describes how the artifact was built, including:
SLSA level 2 has the same requirements as level 1, but additionally requires the hosted build platform to sign the generated provenance. Signing can be done by:
GitLab offers a SLSA level 2 compliant provenance statement that can be automatically generated for all build artifacts produced by the GitLab Runner. This provenance statement is also level 1 compliant, and produced by the runner itself.
Implementing SLSA at this level has a lot of benefits, including:
The GitLab SLSA CI/CD component provides configurations for:
For more information and example configurations, see the SLSA Component documentation.
SLSA Level 3 implements all the requirements of levels 1 and 2, and also prevents tampering with the provenance. For example, by preventing tampering by an attacker that has compromised the build process itself.
This increased tamper resistance comes from:
For more information, see the SLSA level 3 page and the SLSA provenance specification.