Google Intros SLSA Framework to Enforce Supply Chain Integrity

The U.S. tech giant this week unveiled SLSA (Supply chain Levels for Software Artifacts), a new end-to-end framework the company hopes will drive the enforcement of standards and guidelines to ensuring the integrity of software artifacts throughout the software supply chain.
The long-term goal is for SLSA to support the automatic creation of auditable metadata that can be fed into policy engines to give “SLSA certification” to a particular package or build platform.
“Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source — something that is difficult, if not impossible, to do with most software today,” the company said.