ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

SLSA-LEVEL-2

SLSA L2 source VC + hosted build + signed provenance.

Definition

SLSA L2 requirements (cumulative L1): (1) Source: version-controlled, two-person reviewed not mandatory L2 (L3 yes), retention >18 months minimum, accessible. (2) Build: hosted build platform (cloud-hosted CI runners GitHub Actions ubuntu-latest, GitLab.com runners, CircleCI Cloud, etc., NOT user-controlled self-hosted runners), build steps documented in machine-readable config (.github/workflows/build.yml). (3) Provenance: signed by build platform attestation (build platform private key signs SLSA Provenance, not just any party as in L1), provenance includes builder Identity ID, source materials, build invocation. Common L2 implementations: GitHub Actions slsa-github-generator action emits provenance signed via Sigstore Cosign Fulcio identity workload OIDC, GitLab CI similar. Use case: ~70% OSS projects active migration L2 from L1 2024, balance protection vs operational complexity, recommended baseline mature projects.

Origin

SLSA L2 specification published 2021 by Google SSCS team ; L2 levels confirmed SLSA 1.0 published 2023 OpenSSF ; ~70% OSS projects target migration 2024.

Example in context

Kubernetes (CNCF) builds via Prow CI hosted GoogleCloudBuild platform, source GitHub kubernetes/kubernetes (version-controlled Git), produces SLSA L2 Provenance attestations signed Sigstore Cosign for releases v1.30+ container images, end users verify via cosign verify-attestation.

Last updated: May 16, 2026