GitHub Launches SLSA Build Level 3 Security with Full Code-to-Cloud Traceability

GitHub rolled out a significant security upgrade on January 20, 2026, introducing new APIs and tooling that let development teams track build artifacts from source code all the way to production environments—even when those artifacts live outside GitHub’s ecosystem.

The release addresses a persistent blind spot in enterprise software security: knowing exactly what code is running in production and whether it matches what was actually built. With software supply chain attacks becoming increasingly sophisticated, that visibility gap has become a liability.

What’s Actually New

Three core capabilities make up the release. First, new REST API endpoints allow teams to create storage records (capturing where artifacts live in package registries) and deployment records (tracking where code is running and associated runtime risks like internet exposure or sensitive data processing). These APIs work with external CI/CD tools and cloud monitoring systems, not just GitHub Actions.

Second, a new “Linked artifacts view” in the organization Packages tab consolidates all artifact data—attestations, storage locations, deployment history—into a single dashboard. For teams using GitHub’s artifact attestations, each artifact gets cryptographically bound to its source repository and build workflow.

Third, production-context filtering now works across Dependabot alerts, code scanning alerts, and security campaigns. Teams can filter by artifact registry, deployment status, and runtime risk, then combine those filters with EPSS and CVSS scores to prioritize what actually matters.

The SLSA Connection

The cryptographic binding piece is what enables SLSA Build Level 3 compliance—a supply chain security framework that requires verifiable provenance for build artifacts. Rather than trusting that a container image came from a specific commit, teams can mathematically verify it. The system surfaces build provenance attestations, attested SBOMs, and custom attestations through the artifact view.

Integration Partners at Launch

Microsoft Defender for Cloud (currently in public preview) handles deployment and runtime data integration. JFrog Artifactory provides storage and promotion context. Both offer native integrations requiring no additional configuration. For teams using other tooling, the REST APIs accept records from any source.

GitHub’s attest-build-provenance action can automatically generate storage records when publishing artifacts, reducing manual overhead for teams already in the GitHub Actions ecosystem.

Why This Matters for Enterprise Teams

Code-to-cloud traceability has become a compliance requirement in regulated industries and a practical necessity everywhere else. Knowing whether a flagged vulnerability actually made it to production—versus sitting in an unused branch—fundamentally changes remediation priorities. Security teams waste significant time chasing vulnerabilities in code that never ships.

The timing aligns with broader industry moves toward software supply chain verification. With the feature now live, teams can start building deployment records and testing the filtering capabilities immediately. Discussion threads are active in GitHub Community for teams working through implementation details.

Image source: Shutterstock