SLSA Build Levels

SLSA Build Levels report on various security aspects of a project, to provide a score that represents its overall trustworthiness and completeness. See SLSA Levels.

Macaron’s Provenance verified check uses the criteria of SLSA Build Levels to output a result that matches the correct level for a given artifact.

  • Build Level 0: There is no provenance for the artifact.

  • Build Level 1: There is provenance for the artifact but it cannot be verified.

  • Build Level 2: There is provenance for the artifact, and it has been verified.

  • Build Level 3: There is provenance for the artifact, it has been verified, and the build service isolates provenance generation in the control plane from the untrusted build process.

Note

Build Level 4 is not included in the check.