Open Source Compliance
SLSA Level Reference
Search SLSA (Supply-chain Levels for Software Artifacts) requirements by level, keyword, or requirement type. Covers SLSA v0.1 and v1.0 tracks.
No data is transmitted โ everything runs locallyTool
About this tool
SLSA Level Reference
The SLSA Level Reference is a searchable index of SLSA v0.1 and v1.0 requirements, including provenance format, build environment requirements, and implementation guidance.
โข Determine what is required to reach SLSA Level 2 for a GitHub Actions build
โข Look up the provenance format required for SLSA Level 3
โข Check what 'non-falsifiable provenance' means and how to achieve it
โข Compare SLSA v0.1 levels with SLSA v1.0 Build tracks
Next step
npm License Auditor โ Audit npm package licenses for compliance risk before adding dependencies.
Open npm License Auditor โ
FAQ
What does this tool tell you?
The SLSA Level Reference is a searchable index of SLSA v0.1 and v1.0 requirements, including provenance format, build environment requirements, and implementation guidance.
What affects the result most?
SLSA Level 1: documentation only, build scripts exist โ lowest assurance, any pipeline qualifies. SLSA Level 2: hosted build service, signed provenance โ GitHub Actions or Google Cloud Build with provenance. SLSA Level 3: hardened build platform, non-falsifiable provenance โ isolated build environment, no secrets in build.
How should I use the result?
Use this tool to orient quickly to the concepts, field names, or values you are about to look up in a full specification or vendor documentation. It summarizes the common cases; the authoritative source remains whichever standard or vendor doc defines the values themselves.
Related tools