Google and GitHub have been collaborating on a forgery-proof method for signing source code as part of their efforts to secure the software supply chain.
Software supply chain security depends on developers and organizations being able to detect that artifacts — the software components, frameworks, and build tools being used — are authentic and have not been tampered with. That is the thinking behind Supply chain Levels for Software Artifacts (SLSA), a framework for maintaining end-to-end integrity of a software supply chain.
SLSA’s goal is to generate information that described where, when, and how the artifacts were produced, and give developers and organizations a way to identify where the artifacts diverged from the original. The project, originally built by Google last June in response to National Institute of Standards and Technology’s (NIST) framework for software development, is managed by the Open Source Security Foundation.
Knowing a project’s SLSA level can provide developers and organizations with some insights into the project’s security posture.