Supply-chain Levels for Software Artifacts (SLSA)

Supply-chain Levels for Software Artifacts (SLSA), pronounced “salsa”, is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The standard is defined in terms of artifact producers, verifiers, consumers, and infrastructure providers.

GitLab, as an infrastructure provider, provides tools for users to securely produce metadata associated with containers and artifacts. Additionally, GitLab provides mechanisms to verify and safely use this metadata to harden supply chains and prevent some attack types.

SLSA levels

GitLab can produce provenance attestations compliant with the SLSA specification at different levels. Achieving specific levels requires self-assessment against specific criteria.

For more information, see the SLSA Build: Track Basics page.

Level 1: Provenance showing how the package was built

SLSA level 1 requires automatically generated provenance that describes how the artifact was built, including:

• What entity built the package.
• What build process was used.
• What was the top-level input to the build.

Level 2: Signed provenance, generated by a hosted build platform

SLSA level 2 has the same requirements as level 1, but additionally requires the hosted build platform to sign the generated provenance. Signing can be done by:

• The original build.
• An after-the-fact reproducible build.
• Some equivalent system that ensures the trustworthiness of the provenance.

GitLab offers a SLSA level 2 compliant provenance statement that can be automatically generated for all build artifacts produced by the GitLab Runner. This provenance statement is also level 1 compliant, and produced by the runner itself.

Implementing SLSA at this level has a lot of benefits, including:

• Aiding organizations in creating an inventory of software and build platforms.
• Preventing tampering through digital signatures.
• Reducing the attack surface to the specific build platforms.

Sign and verify SLSA provenance with a CI/CD component

The GitLab SLSA CI/CD component provides configurations for:

• Signing runner-generated provenance statements.
• Generating Verification Summary Attestations (VSA) for job artifacts.

For more information and example configurations, see the SLSA Component documentation.

Level 3, Hardened build platform

SLSA Level 3 implements all the requirements of levels 1 and 2, and also prevents tampering with the provenance. For example, by preventing tampering by an attacker that has compromised the build process itself.

This increased tamper resistance comes from:

• Increased runner isolation.
• Ensuring secret material is not accessible to the environment running the user-defined build steps.
• Ensuring every field in the provenance is generated or verified by the build platform in a trusted control plane.

For more information, see the SLSA level 3 page and the SLSA provenance specification.