COMPLIANCE

Accelerate Your Path to SLSA Compliance with Cloudsmith

REACHING COMPLIANCE

SLSA Level 2 and Beyond

Building a tamper-resistant software supply chain with Cloudsmith
    A Progressive Framework
    SLSA is structured into four progressive levels, each building on the last to move from minimal safeguards to a hardened, verifiable supply chain. Level 2 is the minimum standard for safeguarding against artifact tamper resistance. It proves your builds are trusted, verified, and traceable.
    Your Path to SLSA Compliance
    With Cloudsmith, your teams can achieve SLSA Level 2 compliance (and beyond). Our cloud-native artifact management platform handles secure artifact storage, provenance metadata, and worldwide delivery, letting your team focus on shipping code, not managing complexity. No fuss, less chaos.

What is Required for SLSA Level 2?

In collaboration with cloud-based CI/CD services, Cloudsmith addresses storage, verification, and distribution requirements for SLSA compliance without the extra overhead.

Achieving SLSA Level 2 requires two key components.

Hosted Platforms

Use a hosted build platform that generates signed provenance metadata.

Digital Provenance

Store, verify, and securely distribute signed artifacts and metadata.

How can Cloudsmith Help Achieve SLSA Level 2?

Cloudsmith works alongside hosted build platforms like GitHub Actions, Google Cloud Build, and CircleCI, providing secure storage, verification, and delivery of your software artifacts and metadata.

Secure Artifact & Provenance Storage

Cloudsmith stores your artifacts alongside their provenance metadata, clearly showing the who, how, and when behind every build.

Built-in Verification and Integrity Checks

We automatically check artifact signatures when uploaded and add our signatures and checksums so you know what’s genuine.

Globally Trusted Distribution

Artifacts get to your teams quickly, wherever they are, using infrastructure trusted by enterprises and dev teams worldwide.

fully cloud-native

Cloudsmith’s Cloud-Native Advantage

As a genuinely cloud-native artifact registry platform, Cloudsmith ensures that your SLSA-compliant artifacts and metadata remain secure, scalable, and resilient.
WHATDynamic Scaling, Zero Maintenance
HOWWe handle sudden traffic spikes automatically so you don’t have to, keeping your packages and artifacts available without lifting your finger.
End-to-End Integrity by Design
Your packages and artifacts are safe from the moment they’re uploaded until they’re in your team’s hands; no gaps, no worries.
Immediate Compliance, No Complexity
Automated provenance, signatures, and checksums eliminate manual busywork and simplify compliance for everyone.

Go Beyond SLSA Level 2

Cloudsmith doesn’t stop at SLSA Level 2. With foundational security capabilities to build upon, you can progressively adopt higher SLSA Levels:
  • Isolation by Design: Artifacts and metadata are stored separately from your infrastructure, reducing risk. Cloudsmith also acts as an isolation layer between you and third parties.
  • Tamper-Proof Infrastructure: Metadata data can’t be altered, giving you clear and transparent records of every artifact as it progresses through your software supply chain.
  • Ready for Advanced Controls: You can connect tools like slsa-verifier, Sigstore, and cosign for extra layers of security and checks. Policies will let you apply additional checks on data.

Integrated SLSA Compliance with Chainguard Libraries

Point Cloudsmith at Chainguard Libraries to securely get SLSA-compliant artifacts out of the box without requiring complicated setup or manual configuration of proxies:
  • Direct, secure access to Chainguard artifacts.
  • Artifacts are automatically delivered to your developers.
  • Easy, secure consumption with minimal configuration.
  • Enforce the use of SLSA-compliant artifacts through policy management.

Use Cases

SLSA is proving valuable to teams that need to ship software that is trusted, secure, and audit ready without slowing down.

Enterprise Software Teams

Adopt SLSA compliance at scale without disrupting workflows.

Regulated Industries

Meet compliance/audit requirements for software supply chain security.

High-Growth Startups

Enhance security posture for vendor assessments to build confidence.
Cloudsmith makes SLSA Level 2 compliance simple, integrating smoothly with Chainguard Libraries and all popular build platforms.