SLSA-LEVEL-2
SLSA L2 source VC + build hosted + provenance signed.
Définition
SLSA L2 requirements (cumulative L1) : (1) Source : version-controlled, two-person reviewed pas obligatoire L2 (L3 yes), retention >18 months minimum, accessible. (2) Build : hosted build platform (cloud-hosted CI runners GitHub Actions ubuntu-latest, GitLab.com runners, CircleCI Cloud, etc., NOT self-hosted runners users-controlled), build steps documented in machine-readable config (.github/workflows/build.yml). (3) Provenance : signed by build platform attestation (build platform private key signs SLSA Provenance, not just any party as in L1), provenance includes builder Identity ID, source materials, build invocation. Common L2 implementations : GitHub Actions slsa-github-generator action emits provenance signed via Sigstore Cosign Fulcio identity workload OIDC, GitLab CI similar. Use case : ~70% OSS projects active migration L2 from L1 2024, balance protection vs operational complexity, recommanded baseline mature projects.
Origine
SLSA L2 specification publie 2021 par Google SSCS team ; L2 levels confirmed SLSA 1.0 publie 2023 OpenSSF ; ~70% target OSS projects migration 2024.
Exemple en contexte
Kubernetes (CNCF) build via Prow CI hosted GoogleCloudBuild platform, source GitHub kubernetes/kubernetes (version-controlled Git), produces SLSA L2 Provenance attestations signed Sigstore Cosign for releases v1.30+ container images, end users verify via cosign verify-attestation.
Termes liés
- SLSA L3 — niveau superieur.