SLSA L2 Framework
Type: Initiative
ID: SLSA.L2
Version: 1.0.0
Bundle-Version: v2
Source: v2/initiatives/slsa.l2.yaml
Help: https://slsa.dev/
Evaluate SLSA Level 2
Description
Evaluate SLSA L2 and ensure that provenance information is both recorded and authenticated. This helps protect against unauthorized modifications and ensures artifact integrity."
Controls Overview
| Control Name | Control Description | Mitigation |
|---|---|---|
| [provenance] Provenance authenticated | Ensure that provenance metadata for build artifacts is authenticated, confirming that it originates from a trusted source. | Authentication of provenance data prevents attackers from forging or modifying build metadata, ensuring the integrity of the software supply chain. |
Evidence Defaults
| Field | Value |
|---|---|
| signed | False |
Detailed Controls
[provenance] Provenance authenticated
Ensure that provenance metadata for build artifacts is authenticated, confirming that it originates from a trusted source.
Mitigation
Authentication of provenance data prevents attackers from forging or modifying build metadata, ensuring the integrity of the software supply chain.
Rules
| Rule ID | Rule Name | Rule Description |
|---|---|---|
| provenance-exists | Provenance exists | Ensure that provenance metadata is present for each build artifact, enabling traceability and verification. |
| provenance-authn | Provenance authenticated | Verify that provenance metadata is cryptographically authenticated, ensuring it has not been tampered with. |