Open achrinza opened 1 year ago
There are two ways to achieve SLSA levels of assurance:
| Method | SLSA Security Level | SLSA Provenance Statement Version | Accepted by NPM Registry? | Status
| Standalone npm provenance
| Build L2 | v1.0 | Yes | Stable
| SLSA Node.js Builder | Build L3 | v0.2 | Yes | Beta
SLSA Build L2 only guarantees the authenticity of subject of the provenance document - This means that we can only guarantee that the provenance was created within a Github-hosted runner, but we can't guarantee that the contents of the provenance is accurate. This meaans that L2 is useful for preventing post-build tamper, but not during-build tamper.
SLSA Build L3 extends L2 by enforcing during-build tamper through a security boundary.
npm provenance
This is an "official" builder which is builds on the BYOB framework.
see: https://github.com/slsa-framework/slsa-github-generator/blob/3d27f18a67e12a251517ca9af35771a93da39526/internal/builders/generic/README.md see: https://security.googleblog.com/2022/04/improving-software-supply-chain.html