This OpenSSF project aims at developing tools that support the SLSA specification with the goal of enabling the larger community interested in implementing SLSA as a software producer or consumer.
The SLSA specification provides a framework to safeguard artifact integrity across any software supply chain. However it is just that: a specification. It leaves to the reader the hard work of figuring out how to implement it. This project aims at helping you in this effort by providing you with a set of tools that can be used, or that demonstrate how, to generate and verify SLSA provenance in different environments.
The list of tools currently available includes:
| Name | Repository | Description |
|---|---|---|
| SLSA GitHub Generator | https://github.com/slsa-framework/slsa-github-generator | A set of tools for generation of SLSA3+ provenance for native GitHub projects using GitHub Actions |
| SLSA Azure DevOps Demo | https://github.com/slsa-framework/azure-devops-demo | A proof-of-concept SLSA provenance generator for Azure DevOps Pipelines |
| SLSA Jenkins Generator | https://github.com/slsa-framework/slsa-jenkins-generator | A proof-of-concept SLSA provenance generator for Jenkins |
| SLSA Verifier | https://github.com/slsa-framework/slsa-verifier | Verifier of SLSA provenance from compliant builders |
Note that these tools are not all at the same level of maturity. Some are quite advanced while others are not, some are actively being worked on while others are not. Please, consult each repository for further information.
Slack channel: #slsa-tooling
We currently don't have any regular meetings. You can consult the Meeting Notes for a record of past calls although they weren't typically focused on the above tools.
This project is part of the Supply Chain Integrity WG alongside SLSA among others.
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.