Software Supply Chain Security, in Three Levels.


SLSA (Supply-chain Levels for Software Artifacts) is an OpenSSF project designed to help organizations secure their software supply chain, which has seen an average 742% increase in attacks over the past 3 years. In response, governments around the world have tabled legislation, and the US government has issued Executive Order 14028 and proposed fines, all of which are designed to force software developers to secure their software supply chain.

SLSA v1.0 introduces four build levels (from 0 to 3) that can help organizations understand where they are on the journey to a secure software supply chain. You can learn more from our eBook “Journey to Software Supply Chain Security”.

Get the eBook
Journey to Supply Chain Security

With the ActiveState Platform you gain SLSA Build Level 3 in a matter of days (not months). Meet government regulations and avoid potential fines. Free up your developers to work on what matters most: creating features and functionality.

Signed attestations provide a critical piece of the EOM and SLSA security framework puzzle.

Enable machine-readable audit trails for your builds.

SBOMs (Software Bill of Materials)
Provide auditable trails on who did what, when.

Hardened Build Service
Runtime environments created with our SLSA Build Level 3-hardened build service.

What are SLSA Build Levels:

  • Build Level 0 – no SLSA implementation is present
  • Build Level 1: Provenance – any code, library or open source package imported into the organization must have a type of software attestation known as a “provenance attestation” that shows where the code was sourced from and how the package was built.
  • Build Level 2: Build Service + Signing – introduces a build service that includes signing of the provenance attestation. Signing ensures that packages were not tampered with after being built. A downstream service verifies the authenticity of the signature.
  • Build Level 3: Hardened Builds – specifies a number of controls that harden the organization’s build service:

    1. Pre-scripted, parameterless builds to ensure bad actors can’t get access to/edit build scripts.
    2. Build environments that are ephemeral, isolated, and hermetically sealed (i.e., no access to the internet) ensure against bad actors compromising the build process.
    3. Isolated signing service to ensure against bad actors accessing secrets used to sign the provenance.

Implementing all these requirements typically involves multiple tools, as well as extensive time and resources. Alternatively, the ActiveState Platform provides a SLSA Build Level 3-compliant service for your open source runtime environments that can be easily integrated with your existing software development process in days.  

Additional Resources

Establishing Software Supply Chain Trust - Business Leader's Guide

Business Leader’s Guide To Establishing Software Supply Chain Trust

Business leaders concerned with the security of the software they produce and purchase need to be aware of emerging software supply chain attack vectors. This white paper provides leaders with the knowledge they need to manage software supply chain risks, whether they’re buying software or creating it.

Secure Supply Chain Legislation

Understanding Secure Software Supply Chain Legislations Around The World

Learn about government-enacted secure software supply chain legislation that is imposing requirements on software vendors and how to comply.

terraform your software supply chain

Introducing SLSA 1.0: Securing The Code You Import & Build

Supply chain Levels for Software Artifacts (SLSA) is an emerging Secure Software Development Framework (SSDF). Learn why you should care, how to comply and try a SLSA level 3 build.

Let’s discuss your Software Supply Chain Security

Talk to our Security experts about how to get compliant with EOM 14028 and SLSA 1.0