Open Source Summit North America 2025

In 2023 Supply-chain Levels for Software Artifacts (SLSA) was released. It provided a framework for protecting software from tampering within the CI/CD workflow from source to publication. Now it’s nearing completion of the SLSA Source Track which brings a similar level of assurance to the management of source code.

The Source Track addresses the threat of tampering with source code within the repository and allows malicious changes to source to be attributed to the actors that introduced those changes. In addition, it provides a framework for recording additional results about source revisions such as if a code review was performed or if the source was analyzed by SAST tools.

We’ll cover how this track can prevent attacks like the 2021 attack against PHP where malicious commits were added to the PHP repository and how it can be used to ensure additional controls (like code review) are implemented to protect against attacks like the recent one against xz. Finally we'll discuss how the source track can be implemented in existing source control systems by examining a proof-of-concept that enables Source Level 3 without specialized support from the source control platform.