#KEYMASTER: Bringing Transparency to Software Supply Chains – A Deep Dive into SLSA

In this #KEYMASTER episode, host Sven Rajala is joined by Fredrik Skogman from GitHub to unpack the evolving landscape of software supply chain security. At the heart of their discussion is SLSA (Supply-chain Levels for Software Artifacts), a framework designed to counteract threats in modern build systems.


Watch video on YouTube

Here’s a summary of the conversation between Sven Rajala, Keyfactor’s international PKI man of mystery, and Fredrik Skogman.

As the conversation kicks off, Fredrik outlines SLSA’s core mission which is “Defining a structured threat model and mitigation strategy for securing software artifacts”

He describes how the framework establishes progressive security levels, moving from basic integrity measures (Level 1) to fully automated, isolated, and tamper-resistant build environments (Level 3+).

But how does SLSA ensure accountability? Fredrik explains that attestations play a key role, with projects generating cryptographic proof of how their software is built. He shares insights from GitHub’s efforts, including the adoption of in-toto attestations and how SLSA provenance is being integrated across package registries like NPM, Homebrew, and PyPI.

Beyond building security, the discussion ventures into dependency tracking, a crucial yet underdeveloped frontier in supply chain security. Fredrik highlights ongoing efforts to establish SLSA standards for dependencies, leveraging work from Microsoft’s S2C2F project. He acknowledges the challenge of transitive security—ensuring that not just your code, but also its dependencies, meet high integrity standards.

Sven and Fredrik agree that the industry is still in the early stages of SLSA adoption, but momentum is growing. Open-source ecosystems are leading the charge, and commercial software vendors are following, bringing greater transparency to the industry as a whole.

Read more about SLSA and Supply Chain Security

• SLSA (Supply-chain Levels for Software Artifacts)
• Blog: Securing the Software Supply Chain – Digital Trust in an Untrusting World

About Fredrik Skogman

Fredrik Skogman

Staff Engineer on the Package Security Engineering team at GitHub

Fredrik Skogman is a Staff Engineer on the Package Security Engineering team at GitHub, where he focuses on software supply chain security. At GitHub he provides technical leadership for standards and tools in the supply chain security space, most recently co-authoring the published npm RFC for using Sigstore to bind packages to the originating source. Fredrik is an active maintainer in the Sigstore and TUF projects. As a native Swede, he rides all kinds of bikes, in all kinds of weather.