Analyzing Challenges in Deployment of the SLSA Framework for Software Supply Chain Security
Mahzabin Tamanna, Sivana Hamer, Mindy Tran, Sascha Fahl, Yasemin Acar, Laurie Williams
TL;DR
The paper investigates why SLSA adoption remains limited despite its promise for software supply chain security by analyzing 1,523 SLSA-related GitHub issues across 233 repositories. It combines Latent Dirichlet Allocation topic modeling with reflexive thematic analysis to identify four main adoption challenges—Complex Implementation, Unclear Communication, Limited Feasibility, and Unclear Relevance—and five practical strategies to address them, including alignment/flexibility, detailed documentation, provenance workflow simplification, verification improvements, and community collaboration. The findings yield concrete recommendations for security framework authors, practitioners, and researchers to improve usability, reduce adoption barriers, and enhance trust in software provenance and attestation. The work highlights the ongoing need for tooling enhancements, clearer terminology, and ecosystem-wide alignment to advance robust, scalable software supply chain security.
Abstract
In 2023, Sonatype reported a 200\% increase in software supply chain attacks, including major build infrastructure attacks. To secure the software supply chain, practitioners can follow security framework guidance like the Supply-chain Levels for Software Artifacts (SLSA). However, recent surveys and industry summits have shown that despite growing interest, the adoption of SLSA is not widespread. To understand adoption challenges, \textit{the goal of this study is to aid framework authors and practitioners in improving the adoption and development of Supply-Chain Levels for Software Artifacts (SLSA) through a qualitative study of SLSA-related issues on GitHub}. We analyzed 1,523 SLSA-related issues extracted from 233 GitHub repositories. We conducted a topic-guided thematic analysis, leveraging the Latent Dirichlet Allocation (LDA) unsupervised machine learning algorithm, to explore the challenges of adopting SLSA and the strategies for overcoming these challenges. We identified four significant challenges and five suggested adoption strategies. The two main challenges reported are complex implementation and unclear communication, highlighting the difficulties in implementing and understanding the SLSA process across diverse ecosystems. The suggested strategies include streamlining provenance generation processes, improving the SLSA verification process, and providing specific and detailed documentation. Our findings indicate that some strategies can help mitigate multiple challenges, and some challenges need future research and tool enhancement.