Achieving SLSA Certification with a “Bring-Your-Own-Builder” Framework

Supply-chain Levels for Software Artifacts, or SLSA (pronounced “salsa”), is a security framework to reason about and improve the integrity of released artifacts. With the recent release of SLSA version 1.0, SLSA is seeing increased adoption, both from industry and open source projects. The framework provides guidelines and compliance programs for infrastructure providers to integrate SLSA requirements in their build platforms. However, implementing a SLSA-compliant builder requires expertise in both SLSA and the underlying platform used to build it.

Come to this talk to learn about recent work that allows you to wrap existing tools (in the form of a binary, a GitHub Action, or a container) into a SLSA-compliant builder with minimal effort on existing open-source CI/CD platforms. We will show how SLSA builders for several package managers, such as npm and maven, are implemented with this framework on GitHub Actions. We will also report the lessons learned and the challenges we faced, in the hope it will help others that our experiences will help others implement trusted builders more effectively.

At the end of this talk, attendees will have enough background to make a tool attest to its output using SLSA provenance.