Skip to main content
Version: 2.9

Supply chain levels for software artifacts (SLSA) adoption

Supply chain Levels for Software Artifacts, or SLSA (salsa) is a framework for improving and grading a project's build system and engineering processes. SLSA focuses on security improvements for source code storage as well as build system definition, execution, and observation. SLSA is structured in four levels. This page describes the adoption of SLSA for Constellation.

info

SLSA is still in alpha status. The presented levels and their requirements might change in the future. We will adopt any changes into our engineering processes, as they get defined.

Level 1 - Adopted

Build - Scripted

All build steps are automated via Bazel and GitHub Actions.

Provenance - Available

Provenance for the CLI is generated using the slsa-github-generator.

Level 2 - Adopted

Source - Version Controlled

Constellation is hosted on GitHub using git.

Build - Build Service

All builds are carried out by GitHub Actions.

Provenance - Authenticated

Provenance for the CLI is signed using the slsa-github-generator. Learn how to verify the CLI using the signed provenance, before using it for the first time.

Provenance - Service Generated

Provenance for the CLI is generated using the slsa-github-generator in GitHub Actions.

Level 3 - Adopted

Source - Verified History

The Edgeless Systems GitHub organization requires two-factor authentication for all members.

Source - Retained Indefinitely

Since we use GitHub to host the repository, an external person can't modify or delete the history. Before a pull request can be merged, an explicit approval from an Edgeless Systems team member is required.

The same holds true for changes proposed by team members. Each change to main needs to be proposed via a pull request and requires at least one approval.

The Edgeless Systems GitHub organization admins control these settings and are able to make changes to the repository's history should legal requirements necessitate it. These changes require two-party approval following the obliterate policy.

Build - Build as Code

All build files for Constellation are stored in the same repository.

Build - Ephemeral Environment

All GitHub Action workflows are executed on GitHub-hosted runners. These runners are only available during workflow.

We currently don't use self-hosted runners.

Build - Isolated

As outlined in the previous section, we use GitHub-hosted runners, which provide a new, isolated and ephemeral environment for each build.

Additionally, the SLSA GitHub generator itself is run in an isolated workflow with the artifact hash as defined inputs.

Provenance - Non-falsifiable

As outlined by SLSA GitHub generator it already fulfills the non-falsifiable requirements for SLSA Level 3. The generated provenance is signed using sigstore with an OIDC based proof of identity.

Level 4 - In Progress

We strive to adopt certain aspect of SLSA Level 4 that support our engineering process. At the same time, SLSA is still in alpha status and the biggest changes to SLSA are expected to be around Level 4.