[Technical Initiative Funding Request]: Revamp and Modernize SLSA Build Track Tooling

[haydentherapper]

Technical Initiative

Supply-chain Levels for Software Artifacts (SLSA) Project

Lifecycle Phase

Incubation

Funding amount

$50,000

Problem Statement

The current SLSA reference tooling, specifically slsa-github-generator and slsa-verifier, requires modernization. The generator has a large, high-maintenance codebase that can be significantly simplified by leveraging new platform-native features like GitHub Artifact Attestations. The verifier is in need of a revamp focused around supporting end-to-end SLSA verification. For example, it's non-trivial to add new SLSA statement types to the verifier, making it difficult to add verification as new SLSA tracks are proposed. It also duplicates functionality that is available in other dedicated tools like Cosign, rather than focusing on policy-based attestation verification.

Who does this affect?

This affects developers and organizations attempting to adopt SLSA to secure their software supply chain. The complexity and maintenance burden of the current tooling can act as a barrier to adoption. It impacts security teams and consumers of SLSA attestations who need a streamlined, reliable, and policy-driven method for verification.

Have there been previous attempts to resolve the problem?

The existing tools represent the initial approach to solving this problem. That approach worked to establish the viability and utility of SLSA. However, the ecosystem has since evolved. This request proposes focusing on end-to-end verification, simplification and integration. We will leverage platform features (GitHub Artifact Attestations) and compose with other tools (e.g. Cosign) where possible. This reduces the maintenance burden and aligns the SLSA tooling with other tooling in the ecosystem.

Why should it be tackled now and by this TI?

Tackling this now will lower the barrier to SLSA adoption and allow the project to focus its resources on evolving the specification rather than maintaining complex tooling. Additionally, the SLSA community has called for examples of end-to-end SLSA usage, with these tools being examples of such.

Give an idea of what is required to make the funding initiative happen

1. Code Review and Planning: A thorough review of both the slsa-github-generator and slsa-verifier codebases to create a detailed plan for feature deprecation and migration.
2. Generator Rewrite: Replace the existing generator with a set of reusable GitHub Actions workflows that utilize GitHub Artifact Attestations.
3. Verifier Rewrite: Refactor the verifier to focus exclusively on SLSA policy verification, delegating signature verification to external tools like Cosign. Additionally, review in-toto/attestation-verifier and determine if this verifier should be used by the SLSA verifier or develop new capabilities in line with the proposed In-toto Policy Framework. This work will also include developing policies for the SLSA Build and Source tracks.
4. Documentation: Create comprehensive documentation for the new tooling and detailed migration guides for existing users.

What is going to be needed to deliver this funding initiative?

This initiative will require dedicated engineering resources for the code audits, architectural design, implementation of the new workflows and policies, and creation of documentation. Community engagement will also be important for gathering feedback on the new designs and deprecation plans.

Are there tools or tech that still need to be produced to facilitate the funding initiative?

No, the core technologies proposed for the project to rely on already exist and are mature. The work of this initiative is to revamp SLSA tooling to integrate with them.

Give a summary of the requirements that contextualize the costs of the funding initiative

The primary cost of this initiative is the engineering effort required for the rewrite. This includes:

• Engineering Time: For auditing existing code, designing the new architecture, and making decisions about feature deprecation.
• Development Time: For implementing the new, simplified generator and the policy-based verifier.
• Technical Writing: For producing high-quality documentation and migration guides to ensure a smooth transition for the community.

Who is responsible for doing the work of this funding initiative?

Adolfo García Veytia, Carabiner Systems

Who is accountable for doing the work of this funding initiative?

Hayden Blauzvern, Google

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

SLSA steering committee

What license is this funding initiative being used under?

Apache 2.0, which is consistent with the existing SLSA project licenses.

Code of Conduct

• [x] I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

• Milestone 1 (During Q1 2026): Complete code review and publish a detailed design/deprecation plan for both repositories.
• Milestone 2 (End of Q1 2026): Release a beta version of slsa-github-generator based on reusable workflows.
• Milestone 3 (During Q1 2026): Release a beta version of the new policy-based slsa-verifier with support for Build and Source tracks.
• Milestone 4 (End of Q2 2026): Complete documentation, implement OSPS Baseline controls as required by the OpenSSF project lifecycle, and cut major releases of the tooling.

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

The key deliverables are:

1. A plan based on the code audit of the changes that will be made along with a deprecation timeline
2. A new major release of the SLSA GitHub generator
3. A new major release of the SLSA verifier
4. Documentation for these new tools
5. OSPS Compliance attestations
6. A blog post on SLSA once this work has been completed