Glossary
- SLSA
Supply-chain Levels for Software Artifacts (SLSA or “salsa”) is a software supply chain security specification that provides guidelines to improve the build integrity of software artifacts. It mandates the production of authentic and verifiable provenance documents that describe the build process of a software artifact. It also requires the adoption of provenance generation by both open-source project maintainers and software package registries. An example of this is the npm public registry, which has added support for publishing SLSA Build Level 2 provenances to improve supply chain security.
URL: https://slsa.dev
- VSA
Verification Summary Attestation (VSA) is an output generated by Macaron that summarizes whether a software component complies with a policy. VSA is a verification document proposed by SLSA and in-toto.
To know more about VSA document generated by Macaron see our Verification Summary Attestation page.
- Witness
Witness is a tool that wraps a build command and records various types of information in a provenance document in the
in-toto
format as the build execution happens.