SLSA on Blockchain
Introduction
In recent years, the integrity of the software supply chain has become a critical topic. Web3 developers, who rely heavily on open-source software, need to prove the integrity of their code to users. For smart contracts, verifying the deployed code against the code in the GitHub repository is challenging. SLSA (Supply-chain Levels for Software Artifacts) addresses this issue.
SLSA
SLSA(Supply-chain Levels for Software Artifacts) is a security framework developed by organizations like the Linux Foundation, Google, CNCF, and OpenSSF to enhance the security of the software supply chain. The framework defines four levels of security, from basic source code management to the use of a hardened build platform.
SLSA Security Levels
- Build L0: Basic source code management
- Build L1: Package build history management
- Build L2: Creation of signed audit trails
- Build L3: Use of a hardened build platform
Move to SLSA
The goal of 'Move to SLSA' is to deploy smart contracts on the blockchain via GitHub Actions, and record their provenance (e.g., similar to the provenance of npm packages). Currently, only GitHub Actions and Google Cloud Build are Level 3 certified, ensuring the highest level of build integrity and security for the secure deployment of smart contracts.
Our project integrates the SLSA framework to improve the deployment of blockchain smart contracts. This ensures the integrity of smart contracts, and assures users that the package they have downloaded has not been tampered with.
Key Components and Benefits
Secure Development Pipeline:
- Establish an SDLC with SLSA levels.
- Create build artifacts in a controlled, auditable environment.
Provenance and Attestation:
- Create tamper-proof attestations for smart contracts.
- Leverage GitHub workflow identity for trusted artifact provenance.
Verifiable Builds:
- Implement reproducible builds for independent verification.
- Ensure that the build process is tamper-proof and consistent with the source code.
Compliance and Auditability:
- Meet regulatory requirements with an auditable development trail.
- Use SLSA logs and trails to demonstrate compliance with security standards.
Related Links
For more information on SLSA and its benefits, refer to the official SLSA website, the SLSA GitHub repository, and the SLSA GitHub Generator.