What is the difference between SLSA and SBOM?

An SBOM is an inventory of 'what' is inside your artifact (dependencies), while SLSA provenance is a cryptographic proof of 'how' it was built (the process and environment).

How does this skill help with OpenSSF Scorecard?

Implementing SLSA Level 3 provenance specifically moves your 'Signed-Releases' check from a score of 8/10 to a perfect 10/10.

Can I achieve SLSA Level 3 with self-hosted runners?

It is difficult because Level 3 requires isolated build environments. Most self-hosted runners are persistent and lack the necessary isolation, often capping your ceiling at Level 1 or 2.

What tools does this playbook integrate with?

The playbook utilizes industry-standard tools including slsa-github-generator, slsa-verifier for verification, and cosign for artifact signing.

SLSA Security Playbook

Name: SLSA Security Playbook
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

セキュリティとテスト

Implements Supply Chain Levels for Software Artifacts (SLSA) to verify build integrity and secure software supply chains.

概要

This skill provides a comprehensive framework for adopting SLSA standards within your CI/CD pipelines. It guides developers through the technical requirements for progressing from SLSA Level 1 to Level 3, helping to generate non-falsifiable provenance and cryptographic proofs for build artifacts. By clarifying the roles of SBOMs versus SLSA and providing decision trees for runner configurations, it enables teams to protect their software against supply chain attacks and achieve top-tier security compliance scores.

主な機能

Incremental adoption roadmap from SLSA Level 1 to Level 3
Integration workflows for slsa-verifier, cosign, and Kyverno policy enforcement
0 GitHub stars
Clear differentiation and implementation guides for SLSA vs. SBOM
Automated provenance generation patterns for GitHub Actions
Runner classification for hosted and self-hosted build environments

ユースケース

Securing CI/CD pipelines against build-time tampering and unauthorized injections
Achieving 10/10 OpenSSF Scorecard ratings for open-source and enterprise projects
Establishing verifiable audit trails for regulatory and compliance requirements

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills slsa-implementation-playbook

For use in Claude.ai and ChatGPT

Download Skill

GitHub

概要