How does SLSA provenance satisfy SSDF requirements?
The SSDF (NIST SP 800-218) Protect-Software (PS) practices call for protecting software and verifying its integrity; SLSA provenance — signed, verifiable build attestations — is a concrete way to evidence PS.3 (archive and protect each release) and PS.2…
Answer.
The SSDF (NIST SP 800-218) Protect-Software (PS) practices call for protecting software and verifying its integrity; SLSA provenance — signed, verifiable build attestations — is a concrete way to evidence PS.3 (archive and protect each release) and PS.2 (provide a mechanism to verify integrity). Mapping SLSA build provenance to the PS practices gives auditors a machine-checkable chain. Planisphere applies the same provenance idea to the audit artifact itself: the record is signed and recomputable, so its integrity is verifiable independent of trust in the producer.
The mark behind the answer.
SP 800-218 PS practices · the SLSA-attested subgroup.
Prepare evidence for SSDF · Protect Software (PS) review.
First evidence record within 21 days of access · re-runs in a single business day. Planisphere measures model behaviour and emits a reproducible, sha-pinned record — it does not certify, file, or give legal advice.