Build your own SLSA 3+ provenance builder on GitHub Actions
10-27, 11:15–11:40 (Europe/Berlin), Main stage

Supply chain attacks have increased YoY by more than 700%. High profile attacks like those against SolarWinds or Codecov have exposed the kind of supply chain integrity weaknesses. Supply-chain Levels for Software Artifacts (SLSA) is a set of incrementally adoptable guidelines to prevent tampering, improve integrity, and secure packages and infrastructure. SLSA v1.0 specifications were released in April 2023, and several commercial products are already available.

Writing a SLSA builder from scratch is, however, a tedious multi-month effort. In this talk, we will present the "Build Your Own Builder" (BYOB) framework for GitHub Actions: a set of APIs that empowers anyone to create a SLSA 3 compliant builder on GitHub in a matter of days. In particular, the BYOB framework makes it easy for GitHub Action maintainers to meet the highest SLSA Build L3 requirements. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework.


We will start the talk by reviewing the goals of SLSA, and explain terminology and concepts like "SLSA provenance" and "SLSA builders". We will then discuss the architectural design of the BYOB framework. We will present two case studies for the Java ecosystem by showing how we built a Maven builder and a Gradle builder, step-by-step.

We will run an end-to-end example by building a GitHub project. Project maintainers on GitHub can invoke the Maven or Gradle builder with just a few lines of code, similar to how they invoke GitHub Actions. The demo will show the builder building and releasing Java artifacts to Maven central. We will then show how to verify packages from Maven central before ingestion.

At the end of this talk, participants will understand how to adopt SLSA on GitHub; and how to create secure builders that meet their needs while adhering to the highest SLSA security requirements.

Laurent is a security engineer in the Open Source Security Team (GOSST) at Google. His team works in collaboration with the open-source community and the OpenSSF on novel security solutions, such as Scorecards, Allstar, Sigstore, SLSA, OSS-Fuzz, OSV, etc.

This speaker also appears in: