@@ -10,33 +10,33 @@ as of June 21, 2025.
1010## Organization Requirements
1111
1212These requirements are primarily for the organization that is producing the
13- source code. The ` slsa- source-poc ` tool helps organizations meet these
13+ source code. ` source-tool ` helps organizations meet these
1414requirements when using GitHub as their Source Control System (SCS).
1515
1616### [ Choose an appropriate source control system] ( https://slsa.dev/spec/v1.2-rc1/source-requirements#choose-scs )
1717
1818** Required for: SLSA Source Level 1+**
1919
2020This requirement is for the organization to select an SCS that can meet their
21- desired SLSA Source Level. The ` slsa- source-poc ` tool is designed specifically
21+ desired SLSA Source Level. ` source-tool ` is designed specifically
2222for organizations using ** GitHub** .
2323
2424### [ Protect consumable branches and tags] ( https://slsa.dev/spec/v1.2-rc1/source-requirements#protect-consumable-branches-and-tags )
2525
2626** Required for: SLSA Source Level 2+**
2727
28- The ` slsa- source-poc ` tool is designed around this principle.
28+ The SLSA source tool is designed around this principle.
2929
3030- ** Policy:** Users define a
31- [ policy file] ( https://github.com/slsa-framework/slsa-source-poc/blob/main/ DESIGN.md#policy)
31+ [ policy file] ( DESIGN.md#policy )
3232 to specify which branches are protected and what their target SLSA level is.
3333 The policy also allows for specifying which tags should be protected.
3434- ** Identity Management:** The tool relies on GitHub's built-in
3535 [ identity management] ( https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#user-accounts )
3636 to configure which actors can perform sensitive actions.
3737- ** Technical Controls:** The tool enforces technical controls via GitHub's
3838 [ rulesets] ( https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository ) .
39- [ DESIGN.md] ( https://github.com/slsa-framework/slsa-source-poc/blob/main/ DESIGN.md)
39+ [ DESIGN.md] ( DESIGN.md )
4040 outlines several controls such as ` CONTINUITY_ENFORCED ` , ` REVIEW_ENFORCED ` ,
4141 ` TAG_HYGIENE ` , and custom ` GH_REQUIRED_CHECK_* ` controls that map to
4242 organization-defined checks. These are included in the generated VSAs as
@@ -46,7 +46,7 @@ The `slsa-source-poc` tool is designed around this principle.
4646
4747** Required for: SLSA Source Level 2+**
4848
49- The ` slsa- source-poc ` tool does not provide a technical enforcement mechanism
49+ The SLSA source tool does not provide a technical enforcement mechanism
5050for a safe expunging process. However, it recommends a process based on GitHub's
5151features:
5252
@@ -62,16 +62,15 @@ used only for safe expunging. This relies on organizational process.
6262
6363## Source Control System Requirements
6464
65- These requirements are for the Source Control System itself. The
66- ` slsa-source-poc ` tool leverages GitHub's capabilities to meet these
67- requirements.
65+ These requirements are for the Source Control System itself. ` source-tool `
66+ leverages GitHub's capabilities to meet these requirements.
6867
6968### [ Repositories are uniquely identifiable] ( https://slsa.dev/spec/v1.2-rc1/source-requirements#repository-ids )
7069
7170** Required for: SLSA Source Level 1+**
7271
7372The tool works with ** GitHub repositories** , which are uniquely identified by
74- their URL (e.g., ` https://github.com/slsa-framework/slsa- source-poc ` ).
73+ their URL (e.g., ` https://github.com/slsa-framework/source-tool ` ).
7574
7675### [ Revisions are immutable and uniquely identifiable] ( https://slsa.dev/spec/v1.2-rc1/source-requirements#revision-ids )
7776
@@ -84,8 +83,8 @@ identified by their commit hash.
8483
8584** Required for: SLSA Source Level 1+**
8685
87- The ` slsa-source-poc ` tool generates
88- [ Verification Summary Attestations (VSAs)] ( https://github.com/slsa-framework/slsa-source-poc/blob/main/ DESIGN.md#verification-summary-attestations-vsa)
86+ The SLSA Source tool generates
87+ [ Verification Summary Attestations (VSAs)] ( DESIGN.md#verification-summary-attestations-vsa )
8988for each commit on a protected branch. These VSAs indicate the SLSA Source Level
9089of the revision. The tool uses its generated
9190[ source provenance] ( #source-provenance ) to issue these VSAs for Level 3 and
@@ -97,7 +96,7 @@ can access the revision.
9796** Required for: SLSA Source Level 2+**
9897
9998The tool requires users to specify protected branches in the
100- [ policy file] ( https://github.com/slsa-framework/slsa-source-poc/blob/main/ DESIGN.md#policy) .
99+ [ policy file] ( DESIGN.md#policy ) .
101100The tool's logic for determining SLSA levels is then applied to these branches.
102101
103102### [ History] ( https://slsa.dev/spec/v1.2-rc1/source-requirements#history )
@@ -113,7 +112,7 @@ tampering with the history of protected branches.
113112
114113** Required for: SLSA Source Level 2+**
115114
116- The ` slsa- source-poc ` tool enforces the change management process through a
115+ ` source-tool ` tool enforces the change management process through a
117116combination of its policy file and GitHub's rulesets.
118117
119118- The tool checks for the enforcement of specific rules on protected branches.
@@ -128,12 +127,12 @@ combination of its policy file and GitHub's rulesets.
128127
129128** Required for: SLSA Source Level 2+**
130129
131- Continuity is a core concept in the ` slsa- source-poc ` design.
130+ Continuity is a core concept in the ` source-tool ` design.
132131
133132- The ` CONTINUITY_ENFORCED ` control ensures that history protection rules are
134133 continuously enforced.
135134- The
136- [ provenance-based approach] ( https://github.com/slsa-framework/slsa-source-poc/blob/main/ DESIGN.md#provenance-based)
135+ [ provenance-based approach] ( DESIGN.md#provenance-based )
137136 is designed to track continuity of controls from one commit to the next. If a
138137 prior commit's provenance shows the same level of control, the start time of
139138 that control is carried forward. This ensures that there are no gaps in
@@ -149,7 +148,7 @@ require this for a given SLSA level.
149148
150149** Gap:** The tool does not yet support protecting only a subset of tags; the
151150` tag_hygiene ` setting applies to all tags. This is tracked in
152- [ issue #129 ] ( https://github.com/slsa-framework/slsa- source-poc /issues/129 ) .
151+ [ issue #129 ] ( https://github.com/slsa-framework/source-tool /issues/129 ) .
153152
154153### [ Identity Management] ( https://slsa.dev/spec/v1.2-rc1/source-requirements#identity-management )
155154
@@ -163,9 +162,9 @@ their GitHub user accounts.
163162
164163** Required for: SLSA Source Level 3+**
165164
166- For Level 3, the ` slsa- source-poc ` tool creates ** source provenance
167- attestations ** for each push to a protected branch. The
168- [ design document] ( https://github.com/slsa-framework/slsa-source-poc/blob/main/ DESIGN.md#source-provenance)
165+ For Level 3, ` source-tool ` creates ** source provenance attestations ** for each
166+ push to a protected branch. The
167+ [ design document] ( DESIGN.md#source-provenance )
169168specifies the format of these attestations, which include the actor, the current
170169and previous commits, the controls in place, and timestamps.
171170
@@ -179,8 +178,8 @@ anyone who can access the revision.
179178
180179** Required for: SLSA Source Level 4**
181180
182- For Level 4, the ` slsa- source-poc ` tool has a ` REVIEW_ENFORCED ` control. This
183- control checks that the repository is configured to:
181+ For Level 4, ` source-tool ` has a ` REVIEW_ENFORCED ` control. This control checks
182+ that the repository is configured to:
184183
185184- Require Pull Requests.
186185- Require at least one approval.
0 commit comments