Supply-chain Levels for Software Artifacts, or SLSA ("salsa"). It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from "safe enough" to being as …

2023年6月11日 · Google 的 SLSA 框架（Supply-chain Levels for Software Artifacts 软件制品的供应链级别）是通过识别 CI/CD 流水线中的问题并减小影响，为实现更安全的软件开发和部署流程提供建议。 SLSA 全名是 Supply chain Levels for Software Artifacts, or SLSA (发音“ salsa ”). SLSA 是一个端到端框架，一个标准和控制的清单确保软件构建和部署过程的安全性，防止篡改源代码、构建平台以及构件仓库而产生的威胁。 任何软件供应链都可能引入漏洞，随着系统变得越来 …

2021年6月23日 · 谷歌提出的解决方案是软件开发的供应链级别（Supply chain Levels for Software Artifacts 简称 SLSA，发音为“salsa”），这是一个端到端框架，用于保证整个软件供应链中组件的完整性。 它的灵感来自于谷歌内部的“ Borg二进制授权系统”，它已经在谷歌内部使用了8年多，并且强制托管谷歌所有生产工作负载。 SLSA的目标是改善行业状况，尤其是开源软件安全状况，进而抵御最要紧的供应链完整性威胁。 使用SLSA，用户方便根据他们目前使用软件的安全状况 …

SLSA (pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. It’s how you get from safe enough to being as resilient as …

2021年7月9日 · 这套解决方案名为Supply chain Levels for Software Artifacts（软件构件的供应链级别），简称为 SLSA。 这个端到端的框架旨在确保软件开发和部署过程的安全性，专注于缓解由于篡改源代码、构建平台或构件仓库而产生的威胁。

2022年6月15日 · SLSA defines expectations for isolated ephemeral build environments, trusted builders, repeatable builds, build config as code, and parameterless builds. This enables organizations to establish and follow best practices for build environments and configurations.

2021年7月27日 · 这套解决方案名为Supply chain Levels for Software Artifacts（软件构件的供应链级别），简称为 SLSA。 这个端到端的框架旨在确保软件开发和部署过程的安全性，专注于缓解由于篡改源代码、构建平台或构件仓库而产生的威胁。 SLSA的灵感来自于谷歌内部执行机制 Binary Authorization for Borg（BAB），这是一套验证代码来源并实现代码标识的审计工具，以确认部署的产品软件是否经过了适当的审查和授权。 本文将从 WHY、WHAT 、HOW 三方面展开了解 …

SLSA is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether ...

The SLSA framework helps organizations measure the level of assurance that the Software Artifacts they produce actually contain and use what they intended (integrity), by ensuring that the whole build and release process, and all of the involved sources and …

2024年3月5日 · SLSA (Supply-chain Levels for Software Artifacts) is one of the most comprehensive and widely adopted security frameworks for CI/CD pipelines. It provides a structured, tiered approach to securing software development, focusing on build integrity, provenance, and tamper resistance.