Open Source Compliance
SLSA Level Reference
Search SLSA (Supply-chain Levels for Software Artifacts) requirements by level, keyword, or requirement type. Covers SLSA v0.1 and v1.0 tracks.
Calculations run locally in your browserTool
About this tool
SLSA Level Reference
The SLSA Level Reference is a searchable index of SLSA v0.1 and v1.0 requirements, including provenance format, build environment requirements, and implementation guidance.
โข Determine what is required to reach SLSA Level 2 for a GitHub Actions build
โข Look up the provenance format required for SLSA Level 3
โข Check what 'non-falsifiable provenance' means and how to achieve it
โข Compare SLSA v0.1 levels with SLSA v1.0 Build tracks
Next step
npm License Auditor โ Audit npm package licenses for compliance risk before adding dependencies.
Open npm License Auditor โ
FAQ
What does this tool tell you?
The SLSA Level Reference is a searchable index of SLSA v0.1 and v1.0 requirements, including provenance format, build environment requirements, and implementation guidance.
What affects the result most?
SLSA Level 1: documentation only, build scripts exist โ lowest assurance, any pipeline qualifies. SLSA Level 2: hosted build service, signed provenance โ GitHub Actions or Google Cloud Build with provenance. SLSA Level 3: hardened build platform, non-falsifiable provenance โ isolated build environment, no secrets in build.
How should I use the result?
Use this tool to orient quickly to the concepts, field names, or values you are about to look up in a full specification or vendor documentation. It summarizes the common cases; the authoritative source remains whichever standard or vendor doc defines the values themselves.
Related tools