SLSA, short for Supply-chain Levels for Software Artifacts, is a framework for improving the integrity of software builds and the trustworthiness of released artifacts. It defines progressively stronger controls for how code is built, signed, and verified, with the goal of making tampering easier to detect and harder to hide.
In cyber security, SLSA matters because many attacks target the build pipeline rather than the source code itself. If an attacker compromises CI/CD, steals publishing credentials, or abuses a trusted workflow, they can produce artifacts that look legitimate even when they contain malware. SLSA helps defenders reduce that risk with hardened build isolation, provenance attestations, and verifiable, repeatable release processes. In practice, teams use SLSA concepts to check whether a package came from a trusted workflow, whether its build inputs were controlled, and whether the artifact can be traced back to a known source revision.