Supply-chain Levels for Software Artifacts, or SLSA (pronounced “salsa”), is a security framework to reason about and improve the integrity of released artifacts. With the recent release of SLSA version 1.0, SLSA is seeing increased adoption, both from industry and open source projects. The framework provides guidelines and compliance programs for infrastructure providers to integrate SLSA requirements in their build platforms. However, implementing a SLSA-compliant builder requires expertise in both SLSA and the underlying platform used to build it.
Come to this talk to learn about recent work that allows you to wrap existing tools (in the form of a binary, a GitHub Action, or a container) into a SLSA-compliant builder with minimal effort on existing open-source CI/CD platforms. We will show how SLSA builders for several package managers, such as npm and maven, are implemented with this framework on GitHub Actions. We will also report the lessons learned and the challenges we faced, in the hope it will help others that our experiences will help others implement trusted builders more effectively.
At the end of this talk, attendees will have enough background to make a tool attest to its output using SLSA provenance.
Software Engineer @Google
Asra is Software Engineer at Google working on Privacy, Safety, and Security. Her primary focus is on developing a transpiler for Fully Homomorphic Encryption and on the side contributes to the Google Open Source Security Team (GOSST) where she works on projects to improve software supply chain integrity. She’s a maintainer of Sigstore projects and open-source Supply-chain Levels for Software Artifacts (SLSA) tooling repositories. Previously, she worked on Envoy, fuzzing, and privacy-preserving technologies. She's passionate about making the internet a more private and secure space.