[Draft] SLSA compliance

SLSA.md

@@ -0,0 +1,86 @@
+# Galadriel and SLSA Compliance 
+
+One of the base objectives of Galadriel is to provide an offering that follows and aligns with security practices that address threats to the supply chain. As such, Galadriel adopts the [Supply chain Levels for Software Artifacts - SLSA framework](https://slsa.dev/) and other practices highlighted by the [Secure Software Development Framework - SSDF](https://csrc.nist.gov/Projects/ssdf). 
+
+SLSA is a framework that aims to standardize security practices around  three key components of a software supply chain (source, build, and dependencies). For a complete summary of SLSA requirements, refer to the official SLSA project pages: https://slsa.dev/spec/v0.1/requirements.
+
+## Galadriel: SLSA 3+
+
+As Galadriel relies on an externally managed service for the source and build systems, SLSA Level 4 compliance cannot be guaranteed. Galadriel's processes allow it to meet SLSA Level 3+ requirements. Read below to see how Galadriel's processes are meeting SLSA requirements.
+
+### **1. Source Requirements**
+
+| Requirement | Required at SLSA IV | Met by Galadriel |
+| ---- | ------| -------| 
+| [Version-controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled) | Yes | Yes| 
+| [Verified history](https://slsa.dev/spec/v0.1/requirements#verified-history) | Yes| Yes|
+| [Retained Indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely) | Yes | Yes|
+| [Two-person reviewed](https://slsa.dev/spec/v0.1/requirements#two-person-reviewed) | Yes | Yes|
+
+**Galadriel's Process:** 
+- Github is used as a version control system
+- Commits are assigned  numeric identifiers
+- Commits store information about the author, commit time, and comments
+- All commits include DCO
+- Github ensures there is no collition with other source content
+- [Galadriel's contribution guidelines](https://github.com/HewlettPackard/galadriel/blob/main/CONTRIBUTING.md) define roles and responsibilities and mandate a peer review before merging any changes. These are enforced via Github workflows and actions.
+- Galadriel retains all sources, comments, commits, reviews, and binaries indefinetily. 
+
+### **2. Build Requirements**
+
+| Requirement | Required at SLSA IV | Met by Galadriel |
+| ---- | ------| -------|
+| [Scripted](https://slsa.dev/spec/v0.1/requirements#scripted-build) | Yes | Yes|
+| [Build Service](https://slsa.dev/spec/v0.1/requirements#build-service) | Yes | Yes|
+| [Build as Code](https://slsa.dev/spec/v0.1/requirements#build-as-code) | Yes | Yes|
+| [Ephimeral Environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment) | Yes | Yes|
+| [Isolated](https://slsa.dev/spec/v0.1/requirements#isolated) | Yes | Yes|
+| [Parameterless](https://slsa.dev/spec/v0.1/requirements#parameterless) | Yes | Yes
+| [Hermetic](https://slsa.dev/spec/v0.1/requirements#hermetic) | Yes | No|
+| [Reproducible](https://slsa.dev/spec/v0.1/requirements#reproducible) | No | No|
+
+
+**Galadriel's Process:** 
+- Build scripts are Makefile and .github/go.yaml (we need to define which one we will use)
+- Github actions and workflows are used to execute build script
+- Each build runs in an isolated container provided and provisioned by Github solely for this purpose. Isolation of the build is provided by build service
+- The build is executed without any user interaction. Github Actions Workflow_dispatch inputs are empty
+- Github as a build services does not provide the visibility to verify hermetic and reproducible requirements. 
+
+### **3. Provenance Requirements**
+
+| Requirement | Required at SLSA Level IV | Met by Galadriel |
+| ---- | ------| -------|
+| [Available](https://slsa.dev/spec/v0.1/requirements#available) | Yes | Yes|
+| [Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated) | Yes | Yes|
+| [Service Generated](https://slsa.dev/spec/v0.1/requirements#service-generated) | Yes | Yes|
+| [Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable) | Yes | Yes|
+| [Dependencies Complete](https://slsa.dev/spec/v0.1/requirements#dependencies-complete) | Yes | Yes|
+
+**Galadriel's Process:** 
+- Provenance is generated by SLSA Go Releaser Github Action
+- Provenance records are signed by Github after the build
+- Provenance is uploaded to Sigstore via SLSA Go Releaser
+- Build dependencies are included in the provenance record
+- All build steps, sources, and dependencies are included in the provenance record
+- The provenance identifies the artifact, builder, build instructions, source code (repository origin), entry point (git URL+branch/gag/ref+CommitID), and build parameters.
+
+### **4. Common Requirements**
+
+| Requirement | Required at SLSA Level 4| Met by Galadriel|
+| ---- | ------| -------|
+| [Security](https://slsa.dev/spec/v0.1/requirements#security) | Yes | ? |
+| [Access](https://slsa.dev/spec/v0.1/requirements#access) | Yes | ? |
+| [Superusers](https://slsa.dev/spec/v0.1/requirements#superusers) | Yes | ? |
+
+**Galadriel's Process:** 
+- Github is used as source and build service and Galadriel relies on it to meet the security, access, and super users requirements.
+
+## Other Security Practices
+
+- Governance and policies included in the [contribution guidelines](https://github.com/HewlettPackard/galadriel/blob/main/CONTRIBUTING.md) are reflected in the pipeline via Github workflows 
+- Code and vulneratbilty analysis via OpenSSF Scorecards, CodeQL, and Trivy
+- Fuzzing? There is an open issue about this.
+- Github Dependabot enabled
+- SBOM generation via gh-gmod-generate-sbom action
+