Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
April 7, 2023 14:28

SLSA ("salsa") is Supply-chain Levels for Software Artifacts

SLSA (pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.

Learning about SLSA

See to learn about SLSA.

What's in this repo?

The primary content of this repo is the docs/ directory, which contains the core SLSA specification and sources to the website. See the in that directory for instructions on how to build the site.

This repository also hosts SLSA's main issue tracker, covering the website, specification, and overall project management. Other git repositories within the slsa-framework organization have repo-specific issue trackers.

How to get involved

See for ways to get involved in SLSA development.

Active workstreams

Workstream Shepherd
Build Level 4 David A Wheeler (@david-a-wheeler)
Hardware Attested Platforms Marcela Melara (@marcelamelara), Chad Kimes (@chkimes)
Source Track Kris K (@kpk47)
Version 1.1 release Joshua Lock (@joshuagl)

URL Aliases

We have several redirect configured on for convenience of the team:


SLSA is an OpenSSF project. See slsa-framework/governance for governance information, including current steering committee members.

To include the steering committee on GitHub, use @slsa-framework/slsa-steering-committee.


All SLSA specification content contributed following adoption of the Community Specification governance model is provided under the Community Specification License 1.0.

Pre-existing portions of the SLSA specification from contributors who have not subsequently contributed under the Community Specification License 1.0 following its adoption are provided under the Apache License 2.0.