Pipeline Security Hardening with SLSA: Provenance, Signing, and Software Supply Chain Integrity

Cicd
Intermediate, Advanced
Slsa, Supply-Chain-Security, Sigstore, Cosign, Sbom, Provenance, Fulcio, Rekor, Attestation, Container-Signing
Cosign, Slsa-Verifier, Syft, Grype, Github-Actions, Fulcio, Rekor

Pipeline Security Hardening with SLSA#

Software supply chain attacks exploit the gap between source code and deployed artifact. The SLSA framework (Supply-chain Levels for Software Artifacts) defines concrete requirements for closing that gap. It is not a tool you install – it is a set of verifiable properties your build process must satisfy.

SLSA Levels#

SLSA defines four levels of increasing assurance:

Level 0: No guarantees. Most pipelines start here.