GitHub Launches SLSA Build Level 3 Security with Full Code-to-Cloud Traceability

GitHub rolled out a big safety improve on January 20, 2026, introducing new APIs and tooling that permit improvement groups observe construct artifacts from supply code all the way in which to manufacturing environments—even when these artifacts dwell outdoors GitHub’s ecosystem.

The discharge addresses a persistent blind spot in enterprise software program safety: figuring out precisely what code is working in manufacturing and whether or not it matches what was truly constructed. With software program provide chain assaults turning into more and more refined, that visibility hole has grow to be a legal responsibility.

What’s Truly New

Three core capabilities make up the discharge. First, new REST API endpoints enable groups to create storage data (capturing the place artifacts dwell in package deal registries) and deployment data (monitoring the place code is working and related runtime dangers like web publicity or delicate information processing). These APIs work with exterior CI/CD instruments and cloud monitoring techniques, not simply GitHub Actions.

Second, a brand new “Linked artifacts view” within the group Packages tab consolidates all artifact information—attestations, storage areas, deployment historical past—right into a single dashboard. For groups utilizing GitHub’s artifact attestations, every artifact will get cryptographically sure to its supply repository and construct workflow.

Third, production-context filtering now works throughout Dependabot alerts, code scanning alerts, and safety campaigns. Groups can filter by artifact registry, deployment standing, and runtime danger, then mix these filters with EPSS and CVSS scores to prioritize what truly issues.

The SLSA Connection

The cryptographic binding piece is what allows SLSA Construct Stage 3 compliance—a provide chain safety framework that requires verifiable provenance for construct artifacts. Reasonably than trusting {that a} container picture got here from a particular commit, groups can mathematically confirm it. The system surfaces construct provenance attestations, attested SBOMs, and customized attestations via the artifact view.

Integration Companions at Launch

Microsoft Defender for Cloud (at present in public preview) handles deployment and runtime information integration. JFrog Artifactory offers storage and promotion context. Each supply native integrations requiring no extra configuration. For groups utilizing different tooling, the REST APIs settle for data from any supply.

GitHub’s attest-build-provenance motion can mechanically generate storage data when publishing artifacts, decreasing guide overhead for groups already within the GitHub Actions ecosystem.

Why This Issues for Enterprise Groups

Code-to-cloud traceability has grow to be a compliance requirement in regulated industries and a sensible necessity all over the place else. Realizing whether or not a flagged vulnerability truly made it to manufacturing—versus sitting in an unused department—basically modifications remediation priorities. Safety groups waste important time chasing vulnerabilities in code that by no means ships.

The timing aligns with broader trade strikes towards software program provide chain verification. With the characteristic now dwell, groups can begin constructing deployment data and testing the filtering capabilities instantly. Dialogue threads are lively in GitHub Group for groups working via implementation particulars.

Picture supply: Shutterstock