Top Related Projects
Code signing and transparency for containers and binaries
OCI Image Format
Quick Overview
The SLSA (Supply-chain Levels for Software Artifacts) framework is an open-source initiative that aims to provide a set of security guidelines and best practices for ensuring the integrity and provenance of software artifacts throughout the software supply chain. It is designed to help organizations build secure and trustworthy software by establishing a common set of requirements and recommendations for software supply chain security.
Pros
- Comprehensive Security Guidelines: SLSA provides a comprehensive set of security guidelines and best practices that cover various aspects of the software supply chain, including source code management, build processes, artifact storage, and distribution.
- Vendor-Neutral Approach: The SLSA framework is vendor-neutral, allowing it to be adopted and implemented by organizations regardless of their specific technology stack or toolchain.
- Collaborative Development: The SLSA project is developed and maintained by a community of security experts, software engineers, and industry leaders, ensuring that the guidelines are continuously updated and improved.
- Increased Trust and Transparency: By following the SLSA guidelines, organizations can demonstrate the integrity and provenance of their software artifacts, increasing trust among their customers and stakeholders.
Cons
- Complexity: Implementing the SLSA guidelines can be a complex and time-consuming process, especially for organizations with large and complex software supply chains.
- Adoption Challenges: While the SLSA framework is gaining traction, it may face challenges in widespread adoption, as it requires a significant investment of resources and a cultural shift within organizations.
- Potential Overhead: Adhering to the SLSA guidelines may introduce additional overhead and complexity to the software development and deployment processes, which could impact development velocity and efficiency.
- Ongoing Maintenance: Maintaining compliance with the SLSA guidelines requires continuous effort and vigilance, as the software supply chain and security landscape are constantly evolving.
Code Examples
N/A (This is not a code library)
Getting Started
N/A (This is not a code library)
Competitor Comparisons
Code signing and transparency for containers and binaries
Pros of Cosign
- Cosign provides a simple and user-friendly interface for signing and verifying container images, making it easier for developers to secure their software supply chain.
- Cosign integrates with popular container registries like Docker Hub and Google Container Registry, allowing for seamless integration with existing workflows.
- Cosign supports multiple signature formats, including ECDSA and RSA, providing flexibility in the choice of cryptographic algorithms.
Cons of Cosign
- Cosign is primarily focused on container image signing and verification, while SLSA (Secure Software Delivery Specification) provides a more comprehensive framework for securing the entire software supply chain.
- Cosign may have a steeper learning curve for users who are not familiar with container image management and security concepts.
Code Comparison
Cosign (Signing a container image):
// Create a new Cosign signer
signer, err := cosign.NewSigner(cosign.SignerOpts{
PrivateKey: privateKey,
Passphrase: passphrase,
})
if err != nil {
return err
}
// Sign the container image
err = signer.SignImage(ctx, imageRef)
if err != nil {
return err
}
SLSA (Generating a provenance file):
// Create a new SLSA provenance builder
builder := slsa.NewProvenanceBuilder()
// Add metadata to the provenance
builder.SetName("my-project")
builder.SetVersion("v1.0.0")
builder.SetType("build")
// Generate the provenance
provenance, err := builder.Build()
if err != nil {
return err
}
// Save the provenance to a file
err = ioutil.WriteFile("provenance.json", []byte(provenance), 0644)
if err != nil {
return err
}
OCI Image Format
Pros of opencontainers/image-spec
- Widely adopted and supported by major container platforms and tools
- Comprehensive specification for container image format and metadata
- Provides a standardized way to build, distribute, and run container images
Cons of opencontainers/image-spec
- Complexity of the specification can be a barrier for some users
- Limited support for advanced security features like provenance and attestation
- Primarily focused on container images, may not address broader software supply chain concerns
Code Comparison
slsa-framework/slsa
def generate_provenance(artifact, builder, source, materials):
"""
Generate a SLSA provenance document for the given artifact.
"""
provenance = {
"type": "https://in-toto.io/Statement/v0.1",
"subject": {
"name": artifact,
"digest": {
"sha256": hashlib.sha256(artifact.encode()).hexdigest()
}
},
"predicate": {
"type": "https://slsa.dev/provenance/v0.2",
"builder": builder,
"buildType": "https://slsa.dev/provenance/v0.2/buildType/remote",
"invocation": {
"configSource": source,
"parameters": materials
}
}
}
return provenance
opencontainers/image-spec
type Descriptor struct {
// MediaType is the media type of the referenced object.
MediaType string `json:"mediaType,omitempty"`
// Digest is the digest of the targeted content.
Digest string `json:"digest"`
// Size specifies the size in bytes of the blob.
Size int64 `json:"size"`
// URLs specifies a list of URLs from which this object may be downloaded
URLs []string `json:"urls,omitempty"`
// annotations contains arbitrary metadata.
Annotations map[string]string `json:"annotations,omitempty"`
}
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
SLSA ("salsa") is Supply-chain Levels for Software Artifacts
SLSA (pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. Itâs how you get from safe enough to being as resilient as possible, at any link in the chain.
Learning about SLSA
See https://slsa.dev to learn about SLSA.
What's in this repo?
The primary content of this repo is the docs/ directory, which contains the core SLSA specification and sources to the slsa.dev website. See the README.md in that directory for instructions on how to build the site.
This repository also hosts SLSA's main issue tracker, covering the website, specification, and overall project management. Other git repositories within the slsa-framework organization have repo-specific issue trackers.
How to get involved
See https://slsa.dev/community for ways to get involved in SLSA development.
Active workstreams
| Workstream | Shepherd |
|---|---|
| Build Level 4 | David A Wheeler (@david-a-wheeler) |
| Attested Build Environments Track | Marcela Melara (@marcelamelara), Pavel Iakovenko (@paveliak) |
| Source Track | Tom Hennen (@TomHennen) |
| Version 1.2 release | Arnaud J Le Hors (@lehors) |
URL Aliases
We have several redirect configured on slsa.dev for convenience of the team:
- https://slsa.dev/gh ⇒ SLSA GitHub repo
- https://slsa.dev/notes ⇒ meeting notes
Governance
SLSA is an OpenSSF project. See slsa-framework/governance for governance information, including current steering committee members.
To include the steering committee on GitHub, use
@slsa-framework/slsa-steering-committee.
License
All SLSA specification content contributed following adoption of the Community Specification governance model is provided under the Community Specification License 1.0.
Pre-existing portions of the SLSA specification from contributors who have not subsequently contributed under the Community Specification License 1.0 following its adoption are provided under the Apache License 2.0.
Top Related Projects
Code signing and transparency for containers and binaries
OCI Image Format
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot