In parallel to the SLSA specification, there is work to develop core formats and data models. Currently this is joint work between Binary Authorization and in-toto but we invite wider participation.
- Standard attestation format to express provenance and other attributes. This will allow sources and builders to express properties in a standard way that can be consumed by anyone. Also includes reference implementations for generating these attestations.
- Policy data model and reference implementation.
For a broader view of the software supply chain problem:
- Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source
- [Threats, Risks, and Mitigations in the Open Source Ecosystem]
Prior iterations of the ideas presented here:
- Building Secure and Reliable Systems, Chapter 14: Deploying Code
- [Binary Authorization for Borg] - This is how Google implements the SLSA idea internally.
Other related work:
- CII Best Practices Badge
- Security Scorecards - Perhaps SLSA could be implemented as an aggregation of scorecard entries, for at least the checks that can be automated.
- Trustmarks
Other takes on provenance and CI/CD: