As a DevSecOps engineer, you are aware that software supply chain attacks are rapidly on the rise. For securing the supply chain at scale, they are adopting the best practice of verifying the software bill of materials, or SBOMs, to constantly evaluate oncoming risks. However, the industry is realizing that SBOMs alone are not enough for software supply chain security because they don’t help users respond to the tampering of software artifacts.
To protect software artifacts from unauthorized modifications within the software supply chain, a new security framework — aptly called Supply Chain Levels for Software Artifacts, or SLSA (salsa) — has emerged. SLSA is an adoptable security guidance framework that serves as a checklist of standards and controls for safeguarding the integrity of open source software artifacts across the entire supply chain.