SLSA Compliance Program

[SecKatie]

Doc: https://docs.google.com/document/d/1iWjO4UGcGm0PeCm9mbqeT-PiD4z4S7qXMaZsGIFUn0s/edit
Presentation: https://docs.google.com/presentation/u/0/d/1oQoJYy9aCGvnEi43NtgSEfuw3IZbYRuapKFrwSceudA/edit

Background

The Supply Chain Levels for Software Artifacts (SLSA) framework provides a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. A compliance program that gives explicit permission for organizations to assert their compliance with the SLSA program will allow companies to utilize their security efforts in marketing and allow consumers to evaluate their suppliers effectively

The SLSA Compliance Program utilizes several common industry patterns to give consumers and businesses a transparent understanding of their rights and obligations when asserting compliance with the SLSA framework. This is provided through a self-assessment compliance program and an accredited third-party compliance program that are structured into tiers.

Next Steps

• Define the scope of the program - Decision: Initial Scope - Build Systems
  • Let’s clarify what types of things would be certified: projects, repositories, practices, artifacts, suppliers, toolchains, closed source, etc.
• Discuss in the specification SIG
• Integrate compliance into requirements Add SLSA conformance to requirements page #572
• Create certification and registry page compliance: certification program #590
• Standardize builder signing

[MarkLodato]

👍. We also need to figure out how to incorporate it into the specification.

[joshuagl]

Thank you for working on this!

I like the two-tiered proposal, getting folks (and process) up and running with a self assessment while we figure out third-party feels like a sound approach.

The self-assessment process reminds me of the OpenSSF Best Practices badge and their model of a web application to complete the form may make sense? https://bestpractices.coreinfrastructure.org/en

I also wanted to link to a discussion around an attestation predicate for human reviews of artefacts happening in the in-toto attestation repository

• Defining a generalized predicate format for "human reviews" of artifacts in-toto/attestation#77

[tracymiranda]

For reference here is the SLSA Compliance Assessment that is in use by the Kubernetes community for their SLSA efforts kubernetes/enhancements#3027

[SecKatie]

A major value area would be that organizations and projects can select a build system that allows them to comply with SLSA. For the first iteration, I think that is the best starting point for providing our badges and putting guardrails up.

In the Specification Meeting on November 14th 2022 we discussed this as a decision point for the first effort so that we can properly scale the scope of work and an MVP of a self-attestation survey.

Decision: The conformance program will initially target Build Systems

Next Steps:

• Select requirements that require the cooperation or technical support of the build system
• Create a questionnaire that attests to the selected requirements
• Identify the level of SLSA that build platforms can attest to
• Establish branding that can be provided to Build Platforms
• Work with legal to define agreements and requirements

[laurentsimon]

I'm one of the maintainers of https://github.com/slsa-framework/slsa-verifier`. We'd be interested in incorporating builder levels that come out of Identify the level of SLSA that build platforms can attest to (slsa-framework/slsa-verifier#158 and slsa-framework/slsa-verifier#84)

[lehors]

Hi,
I'm not totally sure where the discussion for this takes place. I added a few comments to the google doc.

[MarkLodato]

Removing this from the v1.0 tracker since we're moving it outside the spec.

[kpk47]

This fell a bit by the wayside as we prepared for v1.0-RC2.

@JoshuaMulliken and I met with a member of the Linux Foundation to discuss setting up a conformance program. The basic steps are:

1. Create some sort of test we can use to determine a build system's SLSA conformance. The kubernetes program uses a test suite, but in our case it's likely to be a questionnaire or checklist filled out by hand.
2. Draft terms for the conformance program. IIUC, the way it would work is that we would have a badge that we license out to build systems that conform to the SLSA spec.
3. Create a badge to license under the terms in step 2.

We've drafted a sample questionnaire and terms of service for the conformance program. Please feel free to comment, especially on the questionnaire: https://docs.google.com/document/d/1r6jM84mTa1dBJ6-KTPJKzCPUQ3GA8BuDIzFjbVfH7P8/edit?usp=sharing

[kpk47]

I've posted a proposal at slsa-framework/slsa-proposals#9