SLSA Provenance

"SLSA Provenance: Building Verifiable Builds and Release Pipelines"
Modern supply-chain attacks rarely break cryptography—they exploit ambiguity: which source was built, which dependencies were actually used, and whether a CI system can be trusted to tell the truth. This book is written for experienced engineers, security architects, and platform teams who need verifiable answers, not best-effort metadata. It takes a threat-model-first approach to provenance, showing how to reason about trust boundaries, attacker capabilities, and what “integrity” really means in real CI/CD environments.
You’ll learn SLSA v1.2 as an engineering discipline: how tracks and levels translate into concrete controls and measurable guarantees, and how to produce provenance that stands up to adversarial scrutiny. The book goes deep on the in-toto/DSSE attestation model, artifact identity by digest, and the SLSA Provenance predicate v1—especially builder identity, buildType design, and dependency capture for (near-)hermetic builds. It then moves to operational reality: hardening builders, choosing between keyed and keyless signing (Sigstore), distributing attestations at scale, and building policy-based verification that can gate releases.
Examples are oriented around practical flows (e.g., cosign-based production and verification), with special attention to failure modes, incident response, and progressive enforcement strategies that improve security without stopping delivery. Familiarity with CI/CD systems, container registries, and modern signing/identity concepts is assumed.