SLSA: Vectimus Mapping
SLSA (Supply-chain Levels for Software Artifacts) defines increasing levels of supply chain integrity guarantees. Vectimus maps to Level 2 controls by preventing AI agents from tampering with build inputs, package registries and distribution artifacts.
SLSA Level 2: Build Integrity
Coverage: PARTIAL
SLSA L2 requires that builds use version-controlled source, produce verifiable provenance and resist tampering. Vectimus enforces the tamper-resistance aspect at the agent action level:
- Lockfile protection: Blocks direct modification of package lockfiles across npm, yarn, pnpm, pip, poetry, uv, cargo, bundler and composer. Lockfile changes must go through proper package management commands, not direct file edits by agents.
- Registry integrity: Blocks writes to .npmrc, .pypirc, pip.conf and cargo config files that could redirect package resolution to rogue registries.
- Package publishing: Blocks npm publish and other publishing commands that could distribute compromised packages.
- Untrusted sources: Blocks pip installs from non-standard indexes, npm installs from URLs and cargo installs from git repositories.
- CI/CD protection: Blocks writes to GitHub Actions workflows and other CI config files that define build pipelines.
- MCP supply chain: Default-deny for MCP servers prevents agents from calling unapproved external tool providers.
Key rules: supply-chain (001-008), mcp-safety (001-002), file-integrity (004)
Summary
| Level | Requirement | Coverage | Notes |
|---|---|---|---|
| L2 | Version-controlled source | PARTIAL | Git safety rules protect branch integrity |
| L2 | Tamper-resistant build inputs | HIGH | Lockfile, registry and CI config protection |
| L2 | Provenance generation | NOT COVERED | Vectimus does not generate build provenance |
| L2 | Provenance verification | NOT COVERED | Vectimus does not verify artifact signatures |
What Vectimus does not cover
SLSA defines requirements across the full software supply chain lifecycle. Vectimus covers the tamper-resistance controls that are visible as agent tool calls. The following sit outside scope:
- Build provenance: Generating and signing provenance attestations
- Artifact verification: Verifying signatures and checksums on consumed artifacts
- Hermetic builds: Ensuring builds have no network access or undeclared inputs
- SLSA L3/L4: Hardened build platforms, parameterless builds, two-party review
Organisations pursuing SLSA compliance should use Vectimus alongside build systems that generate provenance (Sigstore, GitHub Artifact Attestations) and verification tools that check it.