SLSA (Supply-chain Levels for Software Artifacts) expressed as a throughline source — a standalone, grounded requirements graph that a consuming project composes with throughline-compose.
This repository holds no application code. It is a directory of small YAML items with
permanent UIDs, validated by tl check. Consumers import it under a namespace and
reference its requirements as slsa:SR-0003.
This is the SLSA v1.2 edition —
2
tracks,5
requirement groups and22
requirements, published to [`docs/spec.md`](docs/spec.md).The counts above are rendered from the live graph by the tl:count directive, so they
cannot drift. Re-run tools/generate.py after editing
tools/slsa_data.py to revise the graph; it preserves every existing
UID↔requirement mapping and only allocates UIDs for requirements that have none yet.
SLSA v1.2 defines two normative tracks, and they are two genuinely different purposes, so this source has two root intents rather than one umbrella:
| Track | Root | Levels | What it grades |
|---|---|---|---|
| Build | INT-0001 |
L0–L3 | the integrity and provenance of the build that produced an artifact |
| Source | INT-0002 |
L1–L4 | the authorship, history and provenance of the source revision |
Under each track root:
- Requirement groups (Build: Producer, Provenance generation, Isolation strength;
Source: Organization, Source Control System) are
user_requirements thatderives_fromtheir track's intent. - Individual requirements are
system_requirements thatimplementstheir group, each carrying its track inattrs.slsa_trackand the minimum level at which it becomes mandatory inattrs.slsa_level(the SLSA analogue of ASVS's L1/L2/L3). Levels are cumulative, so a requirement is recorded once, at the lowest level it applies.
- throughline UIDs are this source's own (
SR-0001…), immutable and never the SLSA requirement name. The published name lives inattrs.source_ref("Distribute provenance"); the minimum level inattrs.slsa_level; the track inattrs.slsa_track. - Root intents are non-normative — each track justifies itself; every group and
requirement must trace to a root or
tl checkfails.
SLSA versions itself (v0.1 → v1.0 was a full restructure; v1.1/v1.2 added the Source
track additively). Editions are git tags of this one repo (v1.2 now); a future full
restructure would become a release branch, the way throughline-asvs handles v4 → v5.
In a consuming throughline project's throughline.toml:
[[sources]]
namespace = "slsa"
url = "https://github.com/timebacksolutions/throughline-slsa"
ref = "v1.2"Then reference a requirement from your own items:
links:
- target: slsa:SR-0006 # SLSA Build L3, "Provenance is unforgeable"
type: satisfiestl-compose check resolves the reference; bare tl check fails fast and points you at
tl-compose.
pip install throughline
tl check --strict # the graph must stay sound
tl docs --check # docs/spec.md must match the graphSLSA is a project of the Open Source Security Foundation (OpenSSF), a Linux Foundation project, licensed CC BY 4.0. See NOTICE and https://slsa.dev/spec/v1.2/. This repository is Apache-2.0 for its structure and tooling; the reproduced requirement text remains the work of the OpenSSF and its contributors.