> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SLSA framework overview

> Pipefort's SLSA v1.2 Build- and Source-track coverage, control by control.

Pipefort scores every scanned repository against the
[SLSA v1.2 specification](https://slsa.dev/spec/v1.2/). Two tracks are
covered:

* **Build track** — how artifacts are produced (Levels 1–3). Workflow-YAML
  checks live here.
* **Source track** — how source code is managed (Levels 1–4). Repository-
  settings checks (branch protection, etc.) live here.

The dedicated [SLSA dashboard](/webapp/slsa) renders both tracks side-by-side
with per-control pass/fail heatmaps and a "lowest-scoring repositories" list.

## Build track

Run `pipefort -r slsa-build-l2` (or any level) to filter the CLI to just these
rules. The web app's `/slsa` page exposes the same filter on the API call.

| Rule                                                                      | Level | Severity | Auto-fix |
| ------------------------------------------------------------------------- | ----- | -------- | -------- |
| [Command piped to shell](/rules/best-prac-1)                              | L1    | HIGH     | ✗        |
| [Self-hosted runner](/rules/best-prac-3)                                  | L2    | LOW      | ✗        |
| [Missing `permissions:`](/rules/cicd-sec-5)                               | L2    | MEDIUM   | ✓        |
| [Permissions overly broad](/rules/slsa-build-l2-perms-overly-broad)       | L2    | HIGH     | ✗        |
| [Build provenance missing](/rules/slsa-build-l2-provenance)               | L2    | HIGH     | ✗        |
| [Provenance signing scope missing](/rules/slsa-build-l2-oidc-token-scope) | L2    | MEDIUM   | ✗        |
| [Verify step missing](/rules/slsa-build-l2-verify-step)                   | L2    | INFO     | ✗        |
| [Pinned actions](/rules/cicd-sec-3)                                       | L3    | MEDIUM   | ✓        |
| [`pull_request_target` checkout](/rules/cicd-sec-1)                       | L3    | HIGH     | ✓        |
| [Provenance not isolated](/rules/slsa-build-l3-provenance-isolated)       | L3    | MEDIUM   | ✗        |
| [Cache poisoning in PR](/rules/slsa-build-l3-cache-poisoning)             | L3    | HIGH     | ✗        |

### Level definitions

| Level  | Summary                                                                                                                                                                                                                                              |
| ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **L1** | Build process is consistent; provenance distributed to consumers.                                                                                                                                                                                    |
| **L2** | Hosted build platform; provenance is signed and verifiable.                                                                                                                                                                                          |
| **L3** | Hardened builds: signing key isolated from user-defined build steps. On GitHub this requires the [`slsa-framework/slsa-github-generator`](https://github.com/slsa-framework/slsa-github-generator) reusable workflow — in-job signing only meets L2. |

## Source track

These rules need the [GitHub App's extended permissions](/concepts/github-app-permissions)
so Pipefort can read repository settings.

| Rule                                                             | Level | Severity |
| ---------------------------------------------------------------- | ----- | -------- |
| [No force pushes](/rules/cicd-sec-1-bp-force-push)               | L2    | HIGH     |
| [No deletion](/rules/cicd-sec-1-bp-deletion)                     | L2    | HIGH     |
| [Signed commits](/rules/cicd-sec-1-bp-no-signed-commits)         | L2    | LOW      |
| [Branch protection exists](/rules/cicd-sec-1-bp-missing)         | L3    | HIGH     |
| [Status checks required](/rules/cicd-sec-1-bp-no-status-checks)  | L3    | MEDIUM   |
| [Admins cannot bypass](/rules/cicd-sec-1-bp-admin-bypass)        | L3    | HIGH     |
| [Reviews required](/rules/cicd-sec-1-bp-no-review)               | L4    | HIGH     |
| [≥ 2 reviewers](/rules/cicd-sec-1-bp-few-reviewers)              | L4    | MEDIUM   |
| [Stale reviews dismissed](/rules/cicd-sec-1-bp-stale-reviews)    | L4    | MEDIUM   |
| [CODEOWNERS review](/rules/cicd-sec-1-bp-no-codeowners-review)   | L4    | LOW      |
| [Actions cannot approve PRs](/rules/cicd-sec-4-wperm-pr-approve) | L4    | HIGH     |

### Level definitions

| Level  | Summary                                                                                     |
| ------ | ------------------------------------------------------------------------------------------- |
| **L1** | Version controlled (any GitHub repo trivially satisfies this).                              |
| **L2** | History preserved: no force-push, no branch deletion.                                       |
| **L3** | Continuous technical controls — branch protection, required status checks, no admin bypass. |
| **L4** | Two-party review enforced (≥ 2 reviewers, dismiss stale, CODEOWNERS, no bot approvals).     |

## How the SLSA level is computed per repo

A repo passes level **L** when **no enabled rule tagged for that level (or any
lower level) fired** in its latest scan. The dashboard's Level Ladder widget
shows the score per track and the count of passing controls at each level.

Repositories without a recent scan show as L0 (Build) and L1 (Source) — the
latter because a GitHub-hosted repo trivially satisfies Source L1
(Version Controlled).
