Glossary

SLSA

  • Supply-chain Levels for Software Artifacts (SLSA or “salsa”) is a software supply chain security specification that provides guidelines to improve the build integrity of software artifacts. It mandates the production of authentic and verifiable provenance documents that describe the build process of a software artifact. It also requires the adoption of provenance generation by both open-source project maintainers and software package registries. An example of this is the npm public registry, which has added support for publishing SLSA Build Level 2 provenances to improve supply chain security.

  • URL: https://slsa.dev

VSA

  • Verification Summary Attestation (VSA) is an output generated by Macaron that summarizes whether a software component complies with a policy. VSA is a verification document proposed by SLSA and in-toto.

  • To know more about VSA document generated by Macaron see our Verification Summary Attestation page.

Witness

  • Witness is a tool that wraps a build command and records various types of information in a provenance document in the in-toto format as the build execution happens.

  • URL: https://github.com/in-toto/witness