Meet Chainloop at the Open Source Finance Forum | October 21-22, 2025 | New York
Blog >

Is Your Source Code Secure? Chainloop Adds SLSA v1.2 Source Track Support

Victoria Ponce

Are your source code management tools properly configured? Do you have visibility into your repository security controls? With the release of SLSA v1.2, these questions have become critical for supply chain security, and Chainloop is ready to help you answer them.

SLSA v1.2: A Complete Supply Chain Framework

The SLSA (Supply-chain Levels for Software Artifacts) framework has evolved. While previous versions focused primarily on build security, SLSA v1.2 introduces a comprehensive source track alongside the existing build track, creating a complete framework that addresses security from source code management through the final build process.

This dual-track approach means organizations can now:

  • Source Track: Verify version control practices, enforce code review requirements, and validate repository protection settings
  • Build Track: Ensure consistent build processes, verify provenance, and protect against tampering

We’re excited to announce that Chainloop now fully supports SLSA v1.2, including both source and build tracks. Our implementation enables automated validation of:

Source Track Coverage

  • Source L1 (Version Controlled): Automatic verification that your code uses modern version control with unique identification and immutability
  • Source L2 (History & Provenance): Validation of complete change history, branch protection rules, and signed commits
  • Source L3 (Continuous Technical Controls): Verification of continuously enforced technical controls on protected branches
  • Source L4 (Two-Party Review): Enforcement of two-person review requirements with code owner approvals

Build Track Coverage

  • Build L1: Automated provenance generation for consistent build processes
  • Build L2: Signed provenance verification with authenticated runners (GitHub Actions, GitLab CI)
  • Build L3: Advanced hardening requirements with manual evidence support

Source Track: The Missing Piece

The software supply chain faces threats at every stage, from source code repositories to the final build and distribution. Understanding where these vulnerabilities exist is the first step to defending against them.

SLSA Supply Chain Threats diagram showing threats across the software development lifecycle

While build provenance tells you how software was built, source track compliance answers equally important questions:

  • Can unauthorized actors modify your protected branches?
  • Are all commits cryptographically signed and traceable?
  • Do your repository settings enforce two-party code review?
  • Is your change history immutable and complete?

Chainloop’s source track validation automatically collects and validates your repository security configuration, checking settings like:

  • Branch protection rules
  • Required pull request reviews
  • Commit signing enforcement
  • Force push restrictions
  • Linear history requirements

Getting Started with SLSA v1.2

Enabling SLSA v1.2 compliance in Chainloop is straightforward:

  1. Attach the SLSA 1.2 framework to your product in the Chainloop platform
  2. Create workflows for both source and build track validation
  3. Send attestations using our CLI to automatically gather repository security data
  4. Monitor compliance in real-time through the Chainloop dashboard
SLSA 1.2 continuous monitoring with Chainloop

For detailed setup instructions, check out our SLSA compliance guide and SLSA reference documentation.

Why This Matters

Supply chain attacks increasingly target the source code phase through compromised repositories, unauthorized commits, and bypassed code reviews. SLSA v1.2’s source track provides a standardized way to verify and enforce controls at this critical stage.

With Chainloop’s automated source track validation, you can:

  • Demonstrate SLSA compliance aligned with requirements from NIST SSDF and Executive Order 14028
  • Detect misconfigurations in repository security settings before they become vulnerabilities
  • Maintain continuous visibility into your source code security posture
  • Prove to customers that your development practices meet industry standards

The Speed of Security

One of our core principles is responding rapidly to emerging security standards. SLSA v1.2 was recently released, and we’ve already integrated full support, including the complex source track validation, into Chainloop.

This rapid implementation reflects our commitment to keeping your software supply chain secure with the latest industry best practices, without making you wait.

Ready to validate your source code security? Get started with Chainloop and see your SLSA v1.2 compliance status in minutes.

Questions or want to learn more? Contact us or schedule a demo.

Cover image: SLSA Supply Chain Threats diagram. © 2025 The Linux Foundation. Used under the Community Specification License 1.0.

Continue Reading