Google Intros SLSA Framework to Enforce Supply Chain Integrity

  • The U.S. tech giant this week unveiled SLSA (Supply chain Levels for Software Artifacts), a new end-to-end framework the company hopes will drive the enforcement of standards and guidelines to ensuring the integrity of software artifacts throughout the software supply chain.
  • The long-term goal is for SLSA to support the automatic creation of auditable metadata that can be fed into policy engines to give “SLSA certification” to a particular package or build platform.
  • “Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source — something that is difficult, if not impossible, to do with most software today,” the company said.