Dependency Track
Basics
Objective
Enable an organization that ingests third-party software dependencies to measure, control, and reduce the supply chain risk those dependencies introduce. Define a per-ingestion attestation, Dependency Ingestion Provenance, that downstream parties can verify.
Why this track exists
Applying SLSA recursively to every dependency would address most consumption risks if each upstream producer published SLSA Build and Source attestations. Most upstream OSS does not yet do so, and recursive verification is not achievable across most of the open source ecosystem.
The Dependency Track provides controls that fill that gap. These controls fall into two groups in this track’s L1-L3 scope:
- Controls applied at the boundary that limit which upstream artifacts can reach the build at all (the ingestion chokepoint, deny-list, constraints on install-time behavior, structural enforcement).
- Controls that produce the ingestor’s own attestations about each consumed dependency when upstream attestations are unavailable (inventory, scans, integrity verification, source mirror, upstream provenance verification when available).
A third group of controls produces the ingestor’s own producer-side attestations over consumed dependencies via rebuild. That work is deferred to a future cross-cutting axis. See Future Considerations.
Audience
The Dependency Track is for any organization that ingests third-party software dependencies. This includes software producers in their role as consumers of upstream OSS, and pure consumers (e.g., enterprises that consume OSS internally but do not ship downstream software). Medium and large organizations benefit most.
Scope
The scope is third-party build dependencies: software artifacts fetched or otherwise made available to the build environment during the build of a released artifact. Runtime dependencies, base images, and developer tooling are out of scope for this revision and listed under Future Considerations.
The track imports the attestable subset of the OpenSSF Secure Supply Chain Consumption Framework (S2C2F). S2C2F requirements that describe organizational practice rather than per-artifact evidence (incident response plans, manual update capability, registry-approval policy) are out of scope. See the S2C2F mapping appendix for the full mapping, including which requirements are referred to the OpenSSF Security Baseline.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.
Dependency Ingestion Provenance
Dependency Ingestion Provenance is the per-ingestion attestation defined by this track. A Dependency Ingestion Platform emits one attestation per ingested artifact describing how that artifact entered the ingestor’s environment.
- Predicate type URI:
https://slsa.dev/dependency/v1 - Envelope: in-toto Statement v1, see Attestation model.
- Subject: the cryptographic digest of the ingested dependency artifact.
- Granularity: one attestation per ingested artifact. A release-level inventory such as an SBOM references the set of attestations for the dependencies it contains.
A producer that publishes both SLSA Build Provenance and
Dependency Ingestion Provenance SHOULD reference the latter from the
former’s resolvedDependencies field, by subject digest. A verifier
walking from a built artifact’s Build Provenance reaches its Dependency
Ingestion Provenance attestations directly, without depending on an
out-of-band SBOM.
The schema, parsing rules, and verification procedure are documented in Dependency Provenance.
Definitions
| Primary Term | Description |
|---|---|
| Build dependency | Software artifact fetched or otherwise made available to the build environment during the build of the artifact. Includes open- and closed-source binary dependencies. |
| Ingestor | The organization that operates the Dependency Ingestion Platform and consumes third-party build dependencies. May or may not also be a SLSA Producer of downstream artifacts. |
| Dependency Ingestion Platform | Infrastructure that admits third-party build dependencies into the ingestor’s environment and emits Dependency Ingestion Provenance per ingestion event. Typically composed of an artifact repository manager, scanner suite, and integrity verifier. |
| Dependency Ingestion Provenance | Per-(artifact, ingestion event) attestation describing how the dependency entered the ingestor’s environment. Predicate type https://slsa.dev/dependency/v1. |
| Package registry | An entity that maps package names to artifacts within a packaging ecosystem. Most ecosystems support multiple registries (a global one plus private ones). |
| Artifact repository manager | A storage solution that manages artifact lifecycle across package management systems while providing consistency to a CI/CD workflow. Typically the binary chokepoint of a Dependency Ingestion Platform. |
| Package source files | A language-specific config file in a source code repository that identifies the package registry feeds or artifact repository manager feeds to consume dependencies from. |
| Source mirror | An internally hosted copy of an upstream dependency’s source code (not just its packaged artifact), maintained to enable source-level scanning and continued availability when upstream sources are unavailable. |
Levels
| Track/Level | Mnemonic | Requirements |
|---|---|---|
| Dep L0 | (none) | (n/a) |
| Dep L1 | Inventoried | The platform emits a Dependency Ingestion Provenance for each ingested dep, naming the dep and recording scan verdicts for vulnerabilities and end-of-life status. |
| Dep L2 | Controlled | The platform is the only path through which deps are ingested, including transitive deps. Per-fetch integrity is verified. Upstream publisher signatures are verified when available. Install-time code execution and network access are constrained. The Provenance is signed by the platform. |
| Dep L3 | Screened | Ingestion bypass is blocked. Each dep is screened against a deny-list and a malware feed, and is subject to a minimum version-age policy. Upstream provenance is verified when available. The platform’s Provenance signature is recorded in a transparency log. |
Why the levels are structured this way
Build’s levels strengthen the integrity of one attestation against a build tenant adversary. The Dependency Track’s adversary is the dependency itself and whoever published it; the ingestor does not run adversarial code on the platform. The levels here describe what claims the platform makes about each ingested dep, and how tightly the ingestion path is controlled.
The structure follows three principles from SLSA’s principles doc:
-
Simple levels with clear outcomes. Each level has a single-word mnemonic and a clear set of requirements. The mnemonics grade up: each level adds a new class of claim about each ingested dep.
-
Trust platforms, verify artifacts. Requirements are split between the Ingestor and the Dependency Ingestion Platform. Verifiers verify the Provenance, not the platform’s deployed configuration.
-
Prefer attestations over inferences. Each requirement specifies what the Dependency Ingestion Provenance must contain or guarantee, not what configuration state to observe.
A future cross-cutting axis would introduce a stronger “Verified” tier where the ingestor produces their own producer-side attestations over consumed deps, typically by rebuilding each dep under the ingestor’s own SLSA Build platform. That work is a different kind of claim from what this track describes and is reserved for that future axis. See Future Considerations.
Dep L0: No guarantees
- Summary
-
No requirements. L0 represents the absence of SLSA Dependency Track claims.
- Intended for
-
Organizations that have not yet adopted the Dependency Track.
- Requirements
-
n/a
- Benefits
-
n/a
Dep L1: Inventoried
- Summary
-
For each ingested dependency, a Dependency Ingestion Provenance exists that identifies the dependency. Identity-verification verdicts, scan verdicts, and policy-evaluation results MAY be recorded in the Provenance; values MAY be
unverified/unavailable/not-evaluated. Trivial to bypass or forge. - Intended for
-
Organizations that want baseline visibility into their third-party dependency footprint, without yet investing in a hardened ingestion path. A starting point for downstream verifiers to apply policy on top.
- Requirements
-
- Ingestor:
- Choose an appropriate Dependency Ingestion Platform.
- Distribute Dependency Ingestion Provenance for every ingested dependency that contributes to a release.
- Dependency Ingestion Platform:
- Maintain an automated inventory by emitting a Dependency Ingestion Provenance for each ingested dependency.
- Ingestor:
- Benefits
-
- Consumed dependencies are knowable from per-dep attestations bound to a release.
- Provides a baseline that downstream parties can verify before higher levels are achieved.
- Voluntarily-recorded verdicts (integrity, publisher signature, scan results, policy evaluations) become consumable evidence that downstream verifiers can require via policy, even when this track does not require the platform to populate them at L1.
- Notes
-
- The Provenance MAY be unsigned and self-asserted at L1. Nothing prevents a dep from being brought in outside the platform; nothing binds the recorded fields to the bytes actually consumed; nothing requires identity verification. L2 grounds the Provenance in a controlled flow with verified identity.
- This track does not prescribe what scans or policy evaluations to run at L1. A producer that runs scans MAY record the verdicts; verifiers MAY require specific recorded evidence as a matter of their own policy.
Dep L2: Controlled
- Summary
-
Dep L2 makes the Provenance authentic and the ingestion path configured. The Dependency Ingestion Platform is the configured path through which dependencies enter the ingestor’s environment, including transitive dependencies resolved by the package manager. The platform performs identity verification (per-fetch integrity MUST be
verified, and publisher signature MUST beverifiedwhen upstream publishes one). For any admission policies the platform applies, the Provenance records them transparently. The platform signs the Dependency Ingestion Provenance.Forging the Provenance now requires forging the platform’s signature.
- Intended for
-
Organizations that have adopted L1 and want the recorded Provenance to be grounded in a controlled flow with verified identity, signed by the platform.
- Requirements
-
All of Dep L1, plus:
- Ingestor:
- Dependency Ingestion Platform:
- Operate as the ingestion chokepoint.
- Admit transitive dependencies through the platform.
- Verify per-fetch integrity — verdict MUST be
verified. - Verify upstream publisher signature when available — verdict MUST be
verifiedwhen upstream publishes a signature;unavailableotherwise. - Record any admission policies applied.
- Sign the Dependency Ingestion Provenance. See Dependency Provenance.
- Benefits
-
All of Dep L1, plus:
- Identity-verification verdicts bind the inventory to bytes that actually match upstream’s claim.
- Transitive resolution comes through the same chokepoint: a malicious transitive dep cannot be pulled in from outside the platform by an otherwise-benign direct dep.
- Publisher-account takeover is detected at ingestion when upstream publishes a signature.
- Whatever admission policies the platform applies are transparent in the Provenance, so verifiers can apply their own policy on top.
- Forging the Provenance requires forging the platform’s signature.
- Notes
-
- This track does not prescribe which admission policies the
platform must apply. A platform that applies no admission policies
records an empty
policyEvaluations[]; verifiers can refuse that as a matter of their own policy. - A determined developer or build can still bypass the configured path. L3 closes that gap with structural enforcement.
- This track does not prescribe which admission policies the
platform must apply. A platform that applies no admission policies
records an empty
Dep L3: Screened
- Summary
-
Dep L3 closes the threats L2 leaves open: (a) bypass is structurally blocked, not just detectable; (b) the upstream-provenance reference for each dep is recorded (verified when available,
unavailableotherwise) so the chain of trust ties to upstream’s source of truth; and (c) a hostile dep cannot subvert the Provenance about itself or about other deps in the same ingestion run, because the signing infrastructure is unreachable from dep code and each dep’s ingestion is isolated. The Shai Hulud npm attacks made this last threat class concrete: malicious dependencies whose install scripts steal credentials from the ingestion environment. - Intended for
-
Most software releases that consume third-party dependencies. Dep L3 typically requires significant investment in the ingestion platform.
- Requirements
-
All of Dep L2, plus:
- Dependency Ingestion Platform:
- Block non-platform paths.
- Record the upstream-provenance verdict in every Provenance — verdict MAY be
verified,failed,not-attempted, orunavailable. - Isolate signing infrastructure from dep code.
- Isolate the ingestion of each dep from others.
- Record the platform’s Dependency Ingestion Provenance signatures in a transparency log. See Dependency Provenance.
- Dependency Ingestion Platform:
- Benefits
-
All of Dep L2, plus:
- Ingestion bypass is blocked, not just detectable. The Provenance describes every consumed dependency.
- The upstream-provenance reference is recorded for every dep; when upstream produces SLSA Build Provenance, a verifier inherits upstream’s Build-side guarantees by reference.
- A malicious dep cannot steal the platform’s Provenance signing key via an install hook (Shai Hulud-style) because the key is not reachable from any process that executed dep code.
- A malicious dep cannot affect the ingestion of another dep, because each dep’s ingestion is isolated from the others.
- Recording platform signatures in a transparency log lets downstream verifiers detect platform signing-key compromise.
- Notes
-
- This track does not prescribe which admission policies the
platform applies. Verifiers that require specific policies
(deny-list against a malicious-packages feed, a minimum
version-age, a malware scan, etc.) MAY refuse Provenance whose
recorded
policyEvaluations[]doesn’t include the expected entries. - A “Verified” tier where the ingestor produces their own producer-side attestations over consumed deps (typically via rebuild) is reserved for a future cross-cutting axis. See Future Considerations.
- This track does not prescribe which admission policies the
platform applies. Verifiers that require specific policies
(deny-list against a malicious-packages feed, a minimum
version-age, a malware scan, etc.) MAY refuse Provenance whose
recorded
Requirements
Each requirement below specifies either an action the ingestor MUST take or a property the Dependency Ingestion Provenance MUST guarantee. RFC 2119 keywords apply as marked.
Overview
Security Best Practices
While the exact definition of what constitutes a secure Dependency Ingestion Platform is beyond the scope of this specification, all implementations MUST use industry security best practices to be conformant. This includes, but is not limited to, using proper access controls, securing communications, implementing proper management of cryptographic secrets, doing frequent updates, and promptly fixing known vulnerabilities.
Ingestor
An ingestor is the organization that operates a Dependency Ingestion Platform and consumes third-party build dependencies. The ingestor MAY also be a Producer of downstream software, or MAY be a pure consumer (an enterprise that consumes OSS internally without releasing downstream artifacts).
Choose an appropriate Dependency Ingestion Platform
The ingestor MUST select a Dependency Ingestion Platform capable of reaching their desired SLSA Dependency Level.
For example, an ingestor targeting Dep L3 MUST choose a platform capable of emitting Dependency Ingestion Provenance with policy-evaluation, source-mirror, and upstream-provenance fields populated and signed.
Distribute Dependency Ingestion Provenance
The ingestor MUST distribute (or, for ingestors that do not release downstream software, hold) the Dependency Ingestion Provenance attestations emitted by the platform for every third-party dependency consumed by a released artifact. The ingestor MAY delegate distribution to the platform.
Configure build to resolve through the platform
The ingestor MUST configure their build’s package source files (lockfiles, package-source mappings, equivalent ecosystem-specific configuration) so that the build resolves third-party dependencies only through the chosen Dependency Ingestion Platform, with versions pinned and integrity hashes recorded.
Examples: package-source-mapping in NuGet;
.npmrcregistry pinning combined withpackage-lock.jsonintegrity hashes;pip --require-hasheswith arequirements.txtlockfile;go.sum;Cargo.lock.
Maps to S2C2F ENF-1.
Dependency Ingestion Platform
A Dependency Ingestion Platform is the infrastructure that admits third-party build dependencies into the ingestor’s environment and emits Dependency Ingestion Provenance. A platform is typically composed of an artifact repository manager, a scanner suite, and an integrity verifier. The defining property is that it emits the Provenance, not any particular product combination.
The platform’s responsibilities increase with the level. At L1 it emits
an inventory Provenance per ingested dep. At L2 it operates as the
ingestion chokepoint, performs identity-verification with verified
results, and signs the Provenance. At L3 it structurally enforces the
chokepoint and is hardened so that a hostile dep cannot subvert the
Provenance about itself or about other deps.
L1 requirements: Inventoried
At L1, the platform MUST emit, for every third-party build dependency
it admits, a Dependency Ingestion Provenance attestation that
identifies the dependency. Identity-verification verdicts, scan
verdicts, and policy-evaluation results MAY be recorded in the
Provenance; values MAY be unverified / unavailable /
not-evaluated when the platform did not perform a given check. The
Provenance MAY be unsigned and self-asserted at L1.
| Requirement | Description | L1 | L2 | L3 |
|---|---|---|---|---|
| Inventory (Automated) 🔗 |
The platform MUST emit a Dependency Ingestion Provenance attestation for every third-party build dependency it admits, identifying the dependency by name, version, and cryptographic digest. Together the set of attestations associated with a release MUST be sufficient to enumerate every direct and transitive third-party dependency contributing to that release.
Maps to S2C2F INV-1. | ✓ | ✓ | ✓ |
L2 requirements: Controlled
At L2 the platform operates as the configured ingestion path including
for transitive dependencies. The platform performs identity-verification
with verified results (per-fetch integrity, and publisher signature
when upstream publishes one), records any admission policies it
applies, and signs every Dependency Ingestion Provenance it emits.
| Requirement | Description | L1 | L2 | L3 |
|---|---|---|---|---|
| Operate as ingestion chokepoint 🔗 |
The Dependency Ingestion Platform MUST be configured as the ingestion path through which third-party build dependencies enter the ingestor’s environment, and MUST record the platform’s identity in every Dependency Ingestion Provenance it emits. The platform sources upstream artifacts under its own controlled path; consumers fetch from the platform, not from upstream registries directly. At L2 the chokepoint is configured. Structural enforcement that makes the chokepoint the only physically reachable path is required at L3 (see Block non-platform paths).
Maps to S2C2F ING-2. | ✓ | ✓ | |
| Admit transitive dependencies through the platform 🔗 |
When a package manager resolves transitive dependencies of an admitted
artifact (deps declared in the artifact’s manifest and fetched at install
or build time), the Dependency Ingestion Platform MUST admit each
transitive dependency through the same controls applied to direct
dependencies. The Dependency Ingestion Provenance for a transitive
dependency MUST record, in This closes a category of attack where a direct dependency goes through the platform but its transitive dependencies are fetched from arbitrary upstream sources, defeating the chokepoint.
This requirement has no S2C2F ID. It makes explicit the transitive scope of S2C2F’s ING-2 and ENF-1. | ✓ | ✓ | |
| Identity-verification verdict (integrity) 🔗 |
The Dependency Ingestion Provenance MAY record a per-fetch integrity
verdict at L1; at L2+ this verdict MUST be present and MUST be
At L1 the platform MAY emit an
Maps to S2C2F AUD-3. | OPTIONAL | ✓ | ✓ |
| Identity-verification verdict (publisher signature) 🔗 |
The Dependency Ingestion Provenance MAY record a publisher-signature
verdict at L1; at L2+ this verdict MUST be present. When the upstream
of a consumed dependency publishes a publisher signature, the platform
MUST verify that signature against the publisher’s expected identity
at L2+ and MUST record the Publisher signature verification is distinct from per-fetch integrity (which only confirms the artifact matches a known hash) and from upstream provenance verification (which confirms how the artifact was built). It detects publisher-account takeover and impersonation.
This requirement has no S2C2F ID. S2C2F’s AUD-3 covers integrity broadly; this requirement separates publisher identity from artifact integrity. | OPTIONAL | ✓ | ✓ |
| Record any admission policies applied 🔗 |
For every dependency-admission policy the Dependency Ingestion Platform
applies (deny-list, version-age, license filter, malware-scanner gate,
or any other policy the operator chooses to run), the Dependency
Ingestion Provenance MUST record the policy’s identity, version,
evaluation timestamp, and verdict, all bound to the artifact’s
cryptographic digest. The Provenance MUST NOT be emitted with a This requirement does NOT prescribe which policies a platform must apply. The Dependency Track does not specify whether to use a deny-list, what the version-age cutoff should be, which malware scanner to consult, or which custom organizational policies to apply. Those are operator and verifier choices. The integrity claim is that whatever policies are applied are transparent in the Provenance. A verifier can then refuse Provenance whose recorded policy set does not satisfy the verifier’s policy. This is structurally similar to how Build Provenance’s
This requirement has no direct S2C2F ID. It generalizes the attestable core of S2C2F’s ING-3 and similar control prescriptions without requiring any specific policy. | ✓ | ✓ |
L3 requirements: Screened
At L3 the platform blocks non-platform ingestion paths structurally, records the upstream-provenance verdict in every Provenance, isolates the Provenance signing infrastructure from any code that runs during ingestion, isolates the ingestion of each dep from others, and publishes its Provenance signatures to a transparency log.
| Requirement | Description | L1 | L2 | L3 |
|---|---|---|---|---|
| Structural enforcement 🔗 |
The Dependency Ingestion Platform MUST block consumption of third-party build dependencies from any feed other than the platform. Build environments and developer environments MUST NOT be able to resolve dependencies outside the platform. Network policy or equivalent access controls MUST prevent it, not just detect it after the fact.
Maps to S2C2F ENF-2. | ✓ | ||
| Upstream-provenance verdict recorded 🔗 |
The Dependency Ingestion Provenance MUST record an upstream-provenance
verdict at L3. The verdict identifies whether upstream-published
provenance was found, whether it was verified, and the result. Valid
values are When the upstream of a consumed dependency produces verifiable
provenance (for example, SLSA Build Provenance), the platform MUST
attempt verification against the ingestor’s expectations and MUST
record either This requirement does not prescribe what to do with the verdict —
verifiers MAY refuse Provenance with
S2C2F AUD-1 maps to “SLSA: Distribute provenance” in S2C2F v1.1. This requirement is where the Dependency Track consumes the output of the Build Track when upstream produces it. Maps to S2C2F AUD-1. | ✓ | ||
| Signing infrastructure isolation 🔗 |
The signing key used to sign Dependency Ingestion Provenance MUST NOT
be reachable by any process that executes dependency-supplied code
during ingestion. This includes install hooks, sandboxed installer
initialization, scanners that execute dep code, and any other component
where the dep’s bytes are executed. Signing MUST happen in a control
plane that did not execute dep code. The Dependency Ingestion Provenance
MUST record, in This requirement addresses a class of attack that the Shai Hulud npm worms made concrete: malicious dependencies whose install scripts exfiltrate credentials (npm tokens, GitHub tokens, AWS keys) from the ingestion environment. Without signing-infrastructure isolation, the platform’s Provenance signing key sits in that environment and a malicious dep can steal it and forge Provenance about itself or about future deps. This is the direct parallel to Build L3 signing-key isolation.
This requirement has no S2C2F ID. S2C2F’s REB-* axis approaches the same threat class by having the ingestor rebuild the dep entirely under their own SLSA Build platform; this requirement addresses the platform-side isolation instead. | ✓ | ||
| Cross-dep ingestion isolation 🔗 |
The ingestion of any one dependency MUST NOT be able to influence the
ingestion of any other dependency, nor the Provenance about any other
dependency. The platform MUST record, in This is an outcome property. The Dependency Track does not prescribe
how the platform achieves it; the requirement is the property and the
attestation of it. Two methods are recognized by the schema as ways to
satisfy the outcome and may be recorded in
Implementers MAY satisfy the outcome by other means and record those
under This is the direct parallel to Build L3 ephemeral build environment and addresses the threat of a dep’s install hook (if dep code ran at all) tampering with the ingestion environment for subsequent deps — poisoning a shared cache, modifying proxy policy state, planting a payload retrieved by the next dep, or stealing credentials used to ingest the next dep.
This requirement has no S2C2F ID. | ✓ |
S2C2F mapping appendix
The OpenSSF Secure Supply Chain Consumption Framework (S2C2F) v1.1 (CSL-1.0) is a consumer-side OSS framework that this track draws from. The Dependency Track is integrity-focused and imports only the S2C2F requirements that are integrity-relevant (about evidence existence, authenticity, controlled flow, and platform hardening). S2C2F requirements that prescribe specific best-practice operational controls (specific scans, specific admission policies, organizational practices) are out of scope — they are appropriately addressed by the OpenSSF Security Baseline or by verifier policy on top of the Provenance, not by the Dep Track.
Six S2C2F requirements are imported. Eight S2C2F requirements that prescribe operational practice are intentionally out of scope (see Out of scope for this track). Five requirements in this track have no S2C2F ID and address integrity threats S2C2F does not enumerate (see Filling S2C2F gaps). Five additional S2C2F requirements (REB-1..4, AUD-4) describe rebuild-based attestations and are deferred to a future cross-cutting axis. The remaining S2C2F requirements describe organizational practice and are referred to the OpenSSF Security Baseline.
Imported (integrity-relevant, L1–L3)
This track is deliberately integrity-focused. It imports a small set of S2C2F requirements that are integrity-relevant — about evidence existence, evidence authenticity, controlled flow, and platform hardening — rather than best-practice prescriptions.
| S2C2F ID | Practice | S2C2F level | SLSA Dep level | Requirement |
|---|---|---|---|---|
| INV-1 | Inventory | L1 | L1 | Inventory |
| ING-2 | Ingest | L1 | L2 | Operate as ingestion chokepoint |
| AUD-3 | Audit | L2 | L2 | Identity-verification verdict (integrity) |
| ENF-1 | Enforce | L2 | L2 | Configure build to resolve through the platform |
| ENF-2 | Enforce | L3 | L3 | Block non-platform paths |
| AUD-1 | Audit | L3 | L3 | Upstream-provenance verdict recorded |
ING-2 moves from S2C2F L1 to Dep L2. S2C2F placed the chokepoint as foundational practice. In this track the chokepoint is what grounds the L1 inventory in a controlled flow with signed Provenance, which is the L2 claim.
Filling S2C2F gaps (integrity-relevant additions)
These requirements have no S2C2F ID. They address integrity threats S2C2F does not enumerate as attestable claims.
| Requirement | Dep level | Why it’s needed |
|---|---|---|
| Admit transitive dependencies through the platform | L2 | The chokepoint’s integrity claim extends to transitive resolution. Without this, an L2 ingestor could chokepoint the direct dep and let its transitive dependencies be pulled from arbitrary upstream sources, defeating the chokepoint. |
| Identity-verification verdict (publisher signature) | L2 | Per-fetch integrity (matches a known hash) and upstream provenance verification (matches the upstream’s claimed build process) are distinct from publisher signature verification (signed by the publisher’s identity). Publisher signature is the strongest control against publisher-account takeover. |
| Record any admission policies applied | L2 | The integrity claim that whatever policies the platform applies are transparent in the Provenance. The track does not prescribe which policies to apply; it requires that those applied be recorded so verifiers can apply policy on top. |
| Signing infrastructure isolation | L3 | Addresses Shai Hulud-style npm-worm attacks where install scripts exfiltrate credentials (including signing keys) from the ingestion environment. Without this, a malicious dep can forge Provenance about itself or future deps. Direct parallel to Build L3 signing-key isolation. |
| Cross-dep ingestion isolation | L3 | Outcome property: a dep’s ingestion cannot affect another dep’s ingestion or the Provenance about it. Direct parallel to Build L3 ephemeral build environment. |
Out of scope for this track (best-practice prescriptions)
The Dep Track is integrity-focused and does not prescribe specific operational best practices. The following S2C2F requirements are out of scope — they prescribe specific scans, controls, or organizational practices rather than integrity properties of the Provenance. The OpenSSF Security Baseline is the appropriate home for these. A verifier targeting Dep L_n MAY independently require that the Provenance record any of these as a matter of verifier policy (e.g., “Provenance must record a vulnerability scan verdict”).
| S2C2F ID | Reason |
|---|---|
| SCA-1 (Vulnerability scan) | Prescribes which scan tooling to run. The Dep Track allows producers to record scan verdicts (scans[].type == "vulnerability") but does not require the scan be performed. |
| SCA-2 (License attribution) | Compliance concern, not integrity. License metadata is well-served by SBOMs. |
| SCA-3 (EOL detection) | Prescribes EOL scanning. Producers MAY record EOL verdicts in the Provenance; verifier policy decides if required. |
| SCA-4 (Malware scan) | Prescribes malware scanning. Producers MAY record malware verdicts; verifier policy decides if required. |
| ING-3 (Deny-list) | Prescribes a specific admission-policy mechanism (deny-list). The Dep Track’s policy-attestation requirement captures the integrity-relevant generalization: any admission policy the platform applies is recorded. Specific deny-list choice is left to operator and verifier policy. |
| UPD-2 (Automated update tooling) | Organizational practice. Routed to the OpenSSF Security Baseline. |
| ING-4 (Source mirror) | Source mirroring is most valuable when paired with rebuild, which is reserved for the future “Verified” cross-cutting axis. |
| AUD-2 (Bypass detection) | Detect-only signal subsumed at L3 by structural enforcement. |
Deferred to a future cross-cutting axis
These S2C2F requirements describe the ingestor producing their own producer-side attestations over consumed deps via rebuild. That work is a different kind of claim from what the Dep Track describes. A future cross-cutting “Verified” axis is the intended home. See Future Considerations.
| S2C2F ID | Practice | S2C2F level | Description |
|---|---|---|---|
| REB-1 | Rebuild | L4 | Rebuild OSS in a trusted build environment or validate reproducible builds. |
| REB-2 | Rebuild | L4 | Sign rebuilt OSS. |
| REB-3 | Rebuild | L4 | Generate SBOMs for rebuilt OSS. |
| REB-4 | Rebuild | L4 | Sign produced SBOMs. |
| AUD-4 | Audit | L4 | Validate SBOMs of consumed OSS. |
Excluded (referred to OpenSSF Security Baseline)
| S2C2F ID | Practice | S2C2F level | Reason for exclusion | Referred to |
|---|---|---|---|---|
| ING-1 | Ingest | L1 | The list of trusted public registries is a policy choice. The enforcement that fetches came from one is captured by the chokepoint at L2 and structural enforcement at L3. | OpenSSF Security Baseline (registry-approval policy) |
| INV-2 | Inventory | L2 | “Have an OSS Incident Response Plan” is organizational. No per-artifact evidence. | OpenSSF Security Baseline (incident response) |
| UPD-1 | Update | L1 | “Update vulnerable OSS manually” is a capability assertion, not an artifact property. | OpenSSF Security Baseline (vulnerability management) |
| UPD-3 | Update | L2 | “Display OSS vulnerabilities in developer contribution flow” requires two-person review, which is covered by the SLSA Source Track. The PR-check half is redundant with Source Track requirements. | SLSA Source Track + OpenSSF Security Baseline |
| SCA-5 | Scan | L3 | “Perform proactive security analysis of OSS” describes an upstream code audit practice. A signed audit report bound to a commit or artifact digest could be attestable in a future iteration, once a predicate type is defined. | OpenSSF Security Baseline (security review practice) |
| FIX-1 | Fix-It-And-Upstream | L4 | “Capability to privately patch and upstream a fix” is a capability assertion. The resulting rebuild evidence is covered by the deferred REB-1..4. | OpenSSF Security Baseline (vulnerability response capability) |
The original S2C2F specification text is published under the Community Specification License 1.0. Text in the requirements above is paraphrased, not transcribed verbatim; attribution to S2C2F v1.1 is via the rows in this appendix.
Future Considerations
- Cross-cutting “Verified” axis for ingested dependencies. The Dep Track’s L1 to L3 covers what the platform observes and records about each ingested dep. A further step is for the ingestor to produce their own producer-side attestations over consumed deps, typically by rebuilding the dep on the ingestor’s own SLSA Build platform, signing the rebuilt artifact, and emitting and signing an SBOM. S2C2F’s REB-1..4 and AUD-4 describe this work. It is a different kind of claim from anything in L1 to L3 (the ingestor produces ground truth rather than recording external trust signals) and is reserved for a cross-cutting axis where any SLSA track can make the same claim about its inputs. The term “Verified” is reserved for that axis. Ingestors that plan to participate in the Verified axis SHOULD also maintain an internal source mirror (S2C2F ING-4) as a prerequisite for rebuild.
- License attribution. License metadata per dep is not in scope for this track. SBOMs that reference the Dependency Ingestion Provenance attestations are the natural carrier.
- Broader scope: extend beyond build dependencies to runtime dependencies, base images, and developer tooling.
- Attestable proactive security analysis (S2C2F SCA-5 evidence half). Define a predicate type for upstream audit reports bound to a commit SHA or artifact digest.
- Verified rebuilder networks. Allow a Dep Track claim to reference independent rebuilders.
- End-of-life escalation paths. Define a response path when an EOL determination surfaces at L1.