SLSA Provenance Generation

Acceleration

Phase: build

CFR

Quick Reference

Phase

build

Epic

Secure & Performant Build Pipelines

Milestone

Acceleration

Target

>= 80% builds have SLSA L2+ provenance

Implementation Time

Part of Secure & Performant Build Pipelines epic: 4.5 weeks (34 hours per capability avg)

What & Why

Definition

>= 80% of builds generate SLSA Level 2+ provenance with builder identity, materials, and build metadata.

Business Value

Maintains <10 minute build times while adding security checks and reduces container vulnerabilities by 95% through automated scanning and caching Achieving >= 80% builds have SLSA L2+ provenance is a key milestone toward this goal.

Context

This capability is part of the Acceleration milestone's focus on scale automation, embed compliance, improve speed & reliability. Essential for teams targeting DF, LT, CFR improvements.

Success Criteria

Target

>= 80% builds have SLSA L2+ provenance

Measurement

Provenance file presence and SLSA level

Evidence

SLSA provenance JSON files
Build metadata
SLSA level verification

In Practice

Real-World Implementation

GitHub Actions/GitLab CI generates SLSA provenance, records builder, source commit, dependencies, build environment. Attached to artifact.

Concrete Example

Build generates provenance.json: builder=github-hosted-runner, materials=[src@abc123, package-lock@def456], SLSA level=2.

Implementation Guide

Prerequisites

SBOM Generation

>= 80% builds generate SBOM

Implementation Steps

Follow the measurement approach: Provenance file presence and SLSA level

For detailed step-by-step guidance, refer to the Secure & Performant Build Pipelines Implementation Kit.

Resources

Related Capabilities

Prerequisites

Implement these first

SBOM Generation

Complementary

Often adopted together, from the Secure & Performant Build Pipelines epic

Signed Build Artifacts

CI Pipeline Hardening

Intelligent Build Caching

Multi-Layer Container Scanning

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Acceleration milestone. Individual timelines vary based on team size and existing practices.

What & Why

Definition

>= 80% of builds generate SLSA Level 2+ provenance with builder identity, materials, and build metadata.

Business Value

Context

This capability is part of the Acceleration milestone's focus on scale automation, embed compliance, improve speed & reliability. Essential for teams targeting DF, LT, CFR improvements.

In Practice

Real-World Implementation

GitHub Actions/GitLab CI generates SLSA provenance, records builder, source commit, dependencies, build environment. Attached to artifact.

Concrete Example

Build generates provenance.json: builder=github-hosted-runner, materials=[src@abc123, package-lock@def456], SLSA level=2.

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Acceleration milestone. Individual timelines vary based on team size and existing practices.

SLSA Provenance Generation

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Prerequisites

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Prerequisites

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?

SLSA Provenance Generation

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Prerequisites

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Prerequisites

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?