Codenotary and the SLSA Framework

Codenotary is leading the way in safeguarding against software supply chain attacks–an ever-present threat, where vulnerable artifacts can be introduced at several points.

SolarWinds and other hacks have encouraged organizations, like CISA, to release guidelines to minimize the risk of such attacks and develop an industry-wide solution jointly with the commercial and open source communities.
Enter the SLSA framework – a systematic guideline preventing the introduction of problem artifacts.

SLSA levels are a common language describing how secure software supply chains and their components truly are.

SLSA 1. The most basic level that can provide risk managers with a high-level view of the origin of artifacts, a.k.a.  Provenance Checks.

SLSA 2. This level requires an immutable reference that points to each change in the repository, making it difficult for an attacker to modify the software, to the point that the build service can be considered safe.

SLSA 3.  An extension of SLSA 2. The source and build platforms must meet stricter security standards that guarantee a more reliable and detailed source audit, preventing sophisticated attacks such as cross-build contamination.

SLSA 4. The maximum level of protection. In addition to meeting all the requirements of the previous levels, SLSA 4 consists of a two-person review of all changes as well as reproducibility of the build process. Common to all levels is an unlimited retention of code changes and an immutable history of changes.

Implementing SLSA does not have to be a daunting task. Codenotary enables compliance with all SLSA levels, offering a platform which notarize artifacts, assigns them a unique identity and stores the results within an innovative cryptographically-verifiable immutable ledger, immudb, that guarantees a trusted supply chain with a tamperproof provenance SBOM.

This way our customers can be sure that the programs, code, libraries and container images are truly the ONLY ones included.

Codenotary Cloud – Protecting artifacts across your software supply chain. For more information, please contact us.