What is the difference between SLSA and SBOM?

An SBOM is an inventory of 'what' is inside your artifact (dependencies), while SLSA provenance is a cryptographic proof of 'how' it was built (the process and environment).

How does this skill help with OpenSSF Scorecard?

Implementing SLSA Level 3 provenance specifically moves your 'Signed-Releases' check from a score of 8/10 to a perfect 10/10.

Can I achieve SLSA Level 3 with self-hosted runners?

It is difficult because Level 3 requires isolated build environments. Most self-hosted runners are persistent and lack the necessary isolation, often capping your ceiling at Level 1 or 2.

What tools does this playbook integrate with?

The playbook utilizes industry-standard tools including slsa-github-generator, slsa-verifier for verification, and cosign for artifact signing.

SLSA Security Playbook

Name: SLSA Security Playbook
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

Security & Testing

Implements Supply Chain Levels for Software Artifacts (SLSA) to verify build integrity and secure software supply chains.

This skill provides a comprehensive framework for adopting SLSA standards within your CI/CD pipelines. It guides developers through the technical requirements for progressing from SLSA Level 1 to Level 3, helping to generate non-falsifiable provenance and cryptographic proofs for build artifacts. By clarifying the roles of SBOMs versus SLSA and providing decision trees for runner configurations, it enables teams to protect their software against supply chain attacks and achieve top-tier security compliance scores.

Key Features

01Incremental adoption roadmap from SLSA Level 1 to Level 3

02Integration workflows for slsa-verifier, cosign, and Kyverno policy enforcement

030 GitHub stars

04Clear differentiation and implementation guides for SLSA vs. SBOM

05Automated provenance generation patterns for GitHub Actions

06Runner classification for hosted and self-hosted build environments

Use Cases

01Securing CI/CD pipelines against build-time tampering and unauthorized injections

02Achieving 10/10 OpenSSF Scorecard ratings for open-source and enterprise projects

03Establishing verifiable audit trails for regulatory and compliance requirements

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills slsa-implementation-playbook

For use in Claude.ai and ChatGPT

Download Skill