This is a working draft. This document may be modified, replaced, or discarded at any time.

Version 1.1 is the current version. See the Version 1.1 documentation.

SLSA Verified Properties

While SLSA is typically focused on expressing the security state of an artifact with levels, levels may not be appropriate in all cases. Some software supply chain controls don’t fit neatly within existing SLSA levels or that do may exist with others that users are not yet able to meet. SLSA Verified Properties allows a common way to express those properties (and their requirements) without needing to fit them into existing levels or introduce new tracks.

These properties MAY be included in the verifiedLevels field of verification_summaries (VSAs) when the VSA issuer determines the requirements have been met.

SLSA_SOURCE_TWO_PARTY_REVIEWED

Indicates the source code associated with this artifact has been reviewed by two trusted persons. This property MUST only be issued in accordance with the Source Track’s two-party-review requirements.

The property MAY be added at any source level in which an SCS can make this claim.

SLSA_BUILD_REPRODUCED

Indicates the referenced artifact has been reproduced by two or more builders.

This property MUST only be issued if the referenced artifact has build provenance from two or more independently operated Build Platforms which are trusted by the VSA issuer.

‹ Threats & mitigations General model ›