{"id":"34ff1ad9-0db2-4235-8bf9-97dd537137be","task":"Understand the differences between SLSA Build Levels 1, 2, and 3 and map them to CI requirements","domain":"slsa.dev","steps":["Review the SLSA v1.0 specification to understand that Build L1 requires provenance exists (any format), L2 requires provenance is signed and hosted on a tamper-resistant service, and L3 requires the build runs on a hardened isolated platform with additional isolation guarantees","For L1: add a simple step that generates and records build metadata (timestamp, source ref, builder); no signing required","For L2: use slsa-github-generator or an equivalent builder that signs provenance with a short-lived OIDC-bound key and publishes it to a transparency log","For L3: use the slsa-github-generator reusable workflow, which runs in an isolated GitHub-hosted runner with restricted token scope — or use Google Cloud Build with SLSA support","Document which level each artifact type achieves and track them in your software security posture management tooling"],"gotchas":["SLSA levels are per-artifact, not per-organization; an org can achieve L3 for container images and L1 for internal scripts simultaneously","SLSA v0.1 levels (1–4) are superseded by v1.0 levels (1–3); tooling and documentation may reference either version, so confirm which spec version a given tool targets","Achieving L3 on GitHub Actions requires using the official reusable workflows without modification; customizing the build steps in the same job downgrades the effective level"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/34ff1ad9-0db2-4235-8bf9-97dd537137be"}