Enum: SourceLevelEnum
SLSA Source Track levels providing increasing trust in source code provenance and the controls used to create source revisions.
URI: slsa:SourceLevelEnum
Permissible Values
| Value | Meaning | Description |
|---|---|---|
| SLSA_SOURCE_LEVEL_1 | None | Source is stored in a version control system, enabling discrete and immutable... |
| SLSA_SOURCE_LEVEL_2 | None | Branch history is preserved and immutable; the SCS generates tamper- resistan... |
| SLSA_SOURCE_LEVEL_3 | None | The SCS enforces the organization's technical controls on protected Named Ref... |
| SLSA_SOURCE_LEVEL_4 | None | All changes to protected branches require two-party review by trusted persons... |
Slots
| Name | Description |
|---|---|
| sourceLevel | The SLSA Source Level achieved or verified for a source repository or revisio... |
In Subsets
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/slsa
LinkML Source
name: SourceLevelEnum
description: SLSA Source Track levels providing increasing trust in source code provenance
and the controls used to create source revisions.
in_subset:
- slsa_source_track
from_schema: https://w3id.org/lmodel/slsa
rank: 1000
permissible_values:
SLSA_SOURCE_LEVEL_1:
text: SLSA_SOURCE_LEVEL_1
description: Source is stored in a version control system, enabling discrete and
immutable source revisions for precise consumption.
SLSA_SOURCE_LEVEL_2:
text: SLSA_SOURCE_LEVEL_2
description: Branch history is preserved and immutable; the SCS generates tamper-
resistant source provenance attestations for each new revision.
SLSA_SOURCE_LEVEL_3:
text: SLSA_SOURCE_LEVEL_3
description: The SCS enforces the organization's technical controls on protected
Named References, providing verifiable evidence of those controls.
SLSA_SOURCE_LEVEL_4:
text: SLSA_SOURCE_LEVEL_4
description: All changes to protected branches require two-party review by trusted
persons, resisting insider threats and unilateral changes.
notes:
- 'Feasibility concern (Tamanna et al., 2024, LF.2): Many open-source projects
have only one active maintainer, making the two-party review requirement impractical.
Whether pair programming and mob programming qualify as equivalent review forms
is an open question in the practitioner community. Use the reviewType slot on
SourceRevision to record the form of review applied.'