Complete SLSA implementation playbook: clarify SLSA vs SBOM confusion, classify runner configurations, implement verification workflows, and adopt incrementally from Level 1 to Level 3.
Provides a complete SLSA implementation playbook to clarify SLSA vs SBOM confusion, classify runner configurations, and build verification workflows. Use when you need to implement SLSA Levels 1-3 for supply chain security.
/plugin marketplace add adaptive-enforcement-lab/claude-skills/plugin install enforce@ael-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
examples.mdreference.mdscripts/example-1.yamlscripts/example-2.mermaidTurn supply chain security from aspirational to operational.
What This Playbook Delivers
Clear implementation path from SLSA Level 1 to Level 3. Resolve SLSA vs SBOM confusion. Classify self-hosted runners correctly. Build verification workflows that actually work.
Before implementing SLSA:
SLSA Level 3 provenance moves Signed-Releases from 8/10 to 10/10.
What you need:
.intoto.jsonl attestation filesImplementation: Current SLSA Provenance Guide
Self-hosted runners don't automatically disqualify you, but they cap your SLSA level.
Questions to answer:
Detailed guidance coming in Runner Configuration guide.
Good. SBOM is complementary, not redundant.
Both address supply chain risk from different angles.
Detailed comparison coming in SLSA vs SBOM guide.
Turn supply chain security from aspirational to operational.
What This Playbook Delivers
Clear implementation path from SLSA Level 1 to Level 3. Resolve SLSA vs SBOM confusion. Classify self-hosted runners correctly. Build verification workflows that actually work.
SLSA adoption stalls on three documented pain points:
This playbook addresses all three directly.
SLSA provenance proves build integrity. It answers:
SLSA is not a bill of materials. It's a cryptographic proof of the build process.
Core value: Detect compromised builds. Prevent supply chain attacks like SolarWinds.
The SLSA community acknowledges this confusion as a problem they "hope to address." We address it now.
Quick answer:
You need both. They complement each other.
Full clarification coming in subsequent playbook sections.
This playbook is organized into focused sections covering the complete SLSA implementation journey:
Start here to understand SLSA fundamentals:
Determine your target SLSA level:
Make SLSA provenance mandatory:
Implement SLSA progressively:
Language-specific implementation:
Playbook Content In Progress
Additional playbook sections are being developed. Start with the current implementation guide for immediate SLSA Level 3 provenance generation.
Use GitHub-hosted runners with slsa-github-generator:
See examples.md for detailed code examples.
Result: SLSA Level 3 provenance in one workflow change.
Learn more: Current SLSA Implementation
Understand your SLSA level ceiling:
Reality check: Most self-hosted runners max out at SLSA Level 1 or 2.
Detailed classification guidance coming in subsequent playbook sections.
Start with conceptual foundation:
| Level | Build Script | Source Provenance | Build Isolation | Provenance Signing |
|---|---|---|---|---|
| 0 | None | None | None | None |
| 1 | Manual | Recorded | None | Manual |
| 2 | Automated | Versioned | None | Service-generated |
| 3 | Automated | Versioned | Isolated | Non-falsifiable |
| 4 | Automated | Versioned | Hermetic | Non-falsifiable + 2-party review |
Critical distinction: Level 3 requires isolated build environments. This is where self-hosted runners struggle.
Full details coming in SLSA Levels guide.
SLSA Level 3 provenance moves Signed-Releases from 8/10 to 10/10.
What you need:
.intoto.jsonl attestation filesImplementation: Current SLSA Provenance Guide
Self-hosted runners don't automatically disqualify you, but they cap your SLSA level.
Questions to answer:
Detailed guidance coming in Runner Configuration guide.
Good. SBOM is complementary, not redundant.
Both address supply chain risk from different angles.
Detailed comparison coming in SLSA vs SBOM guide.
SLSA provenance layers with other enforcement mechanisms:
See examples.md for detailed code examples.
Integration points:
Supply chain attacks exploit build process compromise:
SLSA provenance detects these attacks by proving:
The gap SLSA fills: It's not enough to sign artifacts. You must prove the build process itself is trustworthy.
Before implementing SLSA:
Realistic estimates:
Complexity drivers: Verification workflows, policy enforcement, self-hosted runner migration.
Phased approach guide coming soon.
SLSA provenance proves build integrity. Start with clarity, implement incrementally, verify everywhere.
SLSA adoption stalls on three documented pain points:
This playbook addresses all three directly.
SLSA provenance proves build integrity. It answers:
SLSA is not a bill of materials. It's a cryptographic proof of the build process.
Core value: Detect compromised builds. Prevent supply chain attacks like SolarWinds.
The SLSA community acknowledges this confusion as a problem they "hope to address." We address it now.
Quick answer:
You need both. They complement each other.
Full clarification coming in subsequent playbook sections.
This playbook is organized into focused sections covering the complete SLSA implementation journey:
Start here to understand SLSA fundamentals:
Determine your target SLSA level:
Make SLSA provenance mandatory:
Implement SLSA progressively:
Language-specific implementation:
Playbook Content In Progress
Additional playbook sections are being developed. Start with the current implementation guide for immediate SLSA Level 3 provenance generation.
Use GitHub-hosted runners with slsa-github-generator:
See examples.md for detailed code examples.
Result: SLSA Level 3 provenance in one workflow change.
Learn more: Current SLSA Implementation
Understand your SLSA level ceiling:
Reality check: Most self-hosted runners max out at SLSA Level 1 or 2.
Detailed classification guidance coming in subsequent playbook sections.
Start with conceptual foundation:
| Level | Build Script | Source Provenance | Build Isolation | Provenance Signing |
|---|---|---|---|---|
| 0 | None | None | None | None |
| 1 | Manual | Recorded | None | Manual |
| 2 | Automated | Versioned | None | Service-generated |
| 3 | Automated | Versioned | Isolated | Non-falsifiable |
| 4 | Automated | Versioned | Hermetic | Non-falsifiable + 2-party review |
Critical distinction: Level 3 requires isolated build environments. This is where self-hosted runners struggle.
Full details coming in SLSA Levels guide.
SLSA Level 3 provenance moves Signed-Releases from 8/10 to 10/10.
What you need:
.intoto.jsonl attestation filesImplementation: Current SLSA Provenance Guide
Self-hosted runners don't automatically disqualify you, but they cap your SLSA level.
Questions to answer:
Detailed guidance coming in Runner Configuration guide.
Good. SBOM is complementary, not redundant.
Both address supply chain risk from different angles.
Detailed comparison coming in SLSA vs SBOM guide.
SLSA provenance layers with other enforcement mechanisms:
See examples.md for detailed code examples.
Integration points:
Supply chain attacks exploit build process compromise:
SLSA provenance detects these attacks by proving:
The gap SLSA fills: It's not enough to sign artifacts. You must prove the build process itself is trustworthy.
Before implementing SLSA:
Realistic estimates:
Complexity drivers: Verification workflows, policy enforcement, self-hosted runner migration.
Phased approach guide coming soon.
SLSA provenance proves build integrity. Start with clarity, implement incrementally, verify everywhere.
The SLSA community acknowledges this confusion as a problem they "hope to address." We address it now.
Quick answer:
You need both. They complement each other.
Full clarification coming in subsequent playbook sections.
See examples.md for code examples.
See reference.md for complete documentation.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid copyright violations.