> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SLSA dashboard

> Per-repository SLSA v1.2 Build- and Source-track attainment with control heatmaps.

The **/slsa** page scores every connected repository against
[SLSA v1.2](https://slsa.dev/spec/v1.2/). Build-track results come from the
workflow YAML scan; Source-track results come from the repository-settings
audit (branch protection, required reviews, etc.).

## Page structure

1. **Stat row** — four cards summarising attainment across all repos:
   *Build L3*, *Build L2+*, *Source L4*, *Source L3+*.
2. **Level distribution** — one horizontal stacked bar per track showing how
   many repos sit at each level.
3. **Controls heatmaps** — two grids, one per track. Rows are SLSA controls
   grouped by level; columns are repositories. Cells show pass / fail / not
   scanned for that (repo, rule) pair and link to the repo's detail page.
4. **Lowest-scoring repositories** — a per-repo card list with two
   per-track progress bars (controls passing at each level).

## "Scan all (SLSA ruleset)" button

Top-right of the page. Runs a scan across every repository with
`ruleset=slsa` — only SLSA-tagged rules contribute to the resulting findings.

The default ruleset for ad-hoc scans elsewhere in the app is still `all`;
this view is the only place that defaults to `slsa`.

## Level computation

A repository "passes" SLSA Build level **L** when no enabled SLSA-Build rule
tagged for level L (or below) has fired. The Source track works the same way.

* A scan that has never run shows the repo at Build L0 / Source L1
  (Source L1 is "Version Controlled" — trivially satisfied by any GitHub
  repository).
* An L2 finding drops the Build level to L1; an L1 finding drops it to L0.
  Build levels rise from there as more rules pass.
* Source L4 ("Two-Party Review") needs the GitHub App's extended permissions
  enabled. If the settings audit is skipped (e.g. missing scopes), the repo
  shows at Source L1.

## Filtering by level

The Rule Settings page lets you disable any individual rule globally or per
repo. The SLSA dashboard respects those toggles — a disabled rule never
counts as a fail.

## Related

* [SLSA rule overview](/rules/slsa-overview) — one row per Build / Source rule.
* [Rule settings](/webapp/rule-settings) — per-user / per-repo toggles.
* [GitHub App permissions](/concepts/github-app-permissions) — what to grant
  for Source-track checks.
