SLSA L2 Framework
Type: Initiative
ID: SLSA.L2
Version: 1.0.0
Bundle-Version: v2
Source: v2/initiatives/slsa.l2.yaml
Help: https://slsa.dev/
Evaluate SLSA Level 2
Description
Evaluate SLSA L2 and ensure that provenance information is both recorded and authenticated. This helps protect against unauthorized modifications and ensures artifact integrity."
Required Evidence
This initiative requires the following evidence types:
Evidence Defaults
| Field | Value |
|---|---|
| signed | False |
Controls Overview
| Control Name | Control Description | Mitigation |
|---|---|---|
| [provenance] Provenance authenticated | Ensure that provenance metadata for build artifacts is authenticated, confirming that it originates from a trusted source. | Authentication of provenance data prevents attackers from forging or modifying build metadata, ensuring the integrity of the software supply chain. |
Detailed Controls
[provenance] Provenance authenticated
Ensure that provenance metadata for build artifacts is authenticated, confirming that it originates from a trusted source.
Mitigation
Authentication of provenance data prevents attackers from forging or modifying build metadata, ensuring the integrity of the software supply chain.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| provenance-exists | Provenance exists | Ensure that provenance metadata is present for each build artifact, enabling traceability and verification. |
| provenance-authn | Provenance authenticated | Verify that provenance metadata is cryptographically authenticated, ensuring it has not been tampered with. |