This is a working draft. This document may be modified, replaced, or discarded at any time.

For the latest release candidate or approved version, please use the version selector.

Version 1.0 is the current version. See the Version 1.0 documentation.

Security levels

SLSA is organized into a series of levels and tracks that provide increasing supply chain security guarantees on various aspects of the supply chain security. This gives you confidence that software hasn’t been tampered with and can be securely traced back to its source.

This page is a descriptive overview of the SLSA tracks and levels, describing their intent. For the prescriptive requirements for each track and level, see the individual track specifications. For a general overview of SLSA, see About SLSA.

Levels and tracks

SLSA levels are split into tracks. Each track has its own set of levels that measure a particular aspect of supply chain security. The purpose of tracks is to recognize progress made in one aspect of security without blocking on an unrelated aspect. Tracks also allow the SLSA spec to evolve: we can add more tracks without invalidating previous levels.

Build track levels

Track/Level Requirements Focus
[Build L0] (none) (n/a)
[Build L1] Provenance showing how the package was built Mistakes, documentation
[Build L2] Signed provenance, generated by a hosted build platform Tampering after the build
[Build L3] Hardened build platform Tampering during the build

Note: The previous version of the specification used a single unnamed track, SLSA 1–4. For version 1.0 the Source aspects were removed to focus on the Build track. A Source track may be added in [future versions].

For more information see the Build track specification.

Source track levels

Track/Level Requirements Focus
[Source L0] (none) (n/a)
[Source L1] Version controlled Change tracking
[Source L2] Branch history Tampering of source versioning
[Source L3] Authenticatable and Auditable Provenance Tampering within the SCS’s storage systems.

For more information see the Source track specification.

Build Environment track levels

Track/Level Requirements Focus Trust Root
[BuildEnv L0] (none) (n/a) (n/a)
[BuildEnv L1] Signed build image provenance exists Tampering during build image distribution Signed build image provenance
[BuildEnv L2] Attested build environment instantiation Tampering via the build platform’s control plane The compute platform’s host interface
[BuildEnv L3] Hardware-attested build environment Tampering via the compute platform’s host interface The compute platform’s hardware

For more information see the Build Environment track specification.

‹ Terminology Threats & mitigations ›