SLSA L1 Framework
Type: Initiative
ID: SLSA.L1
Version: 1.0.0
Bundle-Version: v2
Source: v2/initiatives/slsa.l1.yaml
Help: https://slsa.dev/
Evaluate SLSA Level 1
Description
This initiative ensures that every critical build artifact includes the minimum required provenance metadata as specified in SLSA Level 1. By recording detailed information about the build process—such as timestamps, authors, and build details— organizations establish a traceable chain-of-custody for their software artifacts.
Required Evidence
This initiative requires the following evidence types:
Evidence Defaults
| Field | Value |
|---|---|
| signed | False |
Controls Overview
| Control Name | Control Description | Mitigation |
|---|---|---|
| [provenance] Provenance exists | This control verifies that essential provenance metadata is present for each build artifact. | Ensure that provenance metadata is present for critical build artifacts to support supply chain integrity. |
Detailed Controls
[provenance] Provenance exists
This control verifies that essential provenance metadata is present for each build artifact.
Mitigation
Ensure that provenance metadata is present for critical build artifacts to support supply chain integrity.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| provenance-exists | Provenance exists | Verify that the Provenance document evidence exists. |