achrinza
commented
7 months ago There are two ways to achieve SLSA levels of assurance:
| Method | SLSA Security Level | SLSA Provenance Statement Version | Accepted by NPM Registry? | Status
| Standalone npm provenance | Build L2 | v1.0 | Yes | Stable
| SLSA Node.js Builder | Build L3 | v0.2 | Yes | Beta
SLSA Build L2 vs L3
SLSA Build L2 only guarantees the authenticity of subject of the provenance document - This means that we can only guarantee that the provenance was created within a Github-hosted runner, but we can't guarantee that the contents of the provenance is accurate. This meaans that L2 is useful for preventing post-build tamper, but not during-build tamper.
SLSA Build L3 extends L2 by enforcing during-build tamper through a security boundary.
Standalone npm provenance
TODO
SLSA Node.js Builder
This is an "official" builder which is builds on the BYOB framework.
Limitations
- https://github.com/slsa-framework/slsa-github-generator/issues/1679
- https://github.com/slsa-framework/slsa-github-generator/issues/2499
- https://github.com/slsa-framework/slsa-verifier/issues/12 see also: https://github.com/slsa-framework/slsa-github-generator/blob/9f6e07629b3958792b6a8fc59999d6dc65862f11/RENOVATE.md
see: https://github.com/slsa-framework/slsa-github-generator/blob/3d27f18a67e12a251517ca9af35771a93da39526/internal/builders/generic/README.md see: https://security.googleblog.com/2022/04/improving-software-supply-chain.html