Can MCP be used in regulated environments like SOC2 or HIPAA

Why slsa is a big deal for identity attestation

Ever wonder why our supply chains are such a disaster? Honestly, it’s because we’re building on sand. A report from Sonatype notes that supply chain attacks jumped 650% in a single year, which is just wild.

We've got a massive trust gap. Most artifacts can't prove where they came from or who touched them. Before we dive in, we need to talk about Non-Human Identity (nhi). In modern dev, most "users" aren't people—they're service accounts, bots, and CI/CD runners. If you don't secure these machine identities, your whole pipeline is wide open.

• Identity is the heart: If a machine identity isn't tied to the build, you’re just guessing.
• Retail & Finance: These industries are huge targets. For finance, slsa helps meet strict PCI-DSS requirements by proving exactly who authorized a transaction-related build. In retail, it ensures that a point-of-sale update hasn't been tampered with by a rogue process.
• Automation risks: We automate everything, but without slsa, we just automate the spread of bad code.

As GitLab explains, slsa helps us track the "who, what, and how" of every package. It’s basically a birth certificate for your code. By using a tiered framework, slsa solves these identity gaps by providing a standardized way to verify every step of the software lifecycle.

Breaking down the slsa Build Levels for workload identities

So, you want to know how slsa actually works in the real world? It’s not just some abstract checklist; it’s about making sure your machine identities aren't lying to you during the build. Under the new slsa v1.0 spec, these are specifically called Build Levels.

• Build Level 1: Provenance Exists: This is the "who, what, and where" phase. You get a basic record showing an entity—maybe a build server in a bank's backend—actually created the package. It’s better than nothing, but easy to fake since the build process itself isn't protected.
• Build Level 2: Hosted Build: Here, the build must run on a hosted service that generates the provenance itself. If a retail giant is pushing out a new api, level 2 ensures the build platform's identity is verified, which stops a random dev from injecting malicious code on their local machine.
• Build Level 3: Hardened Build: This is where things get serious for finance or critical infrastructure. As CyberArk explains, Build L3 requires the build platform to be isolated and the provenance to be "unforgeable." This means even if an admin is compromised, they can't mess with the build record.

Basically, as you move up, you're making it harder for attackers to mess with the "birth certificate" of your software. Honestly, if you're in a regulated industry, you can't afford to stay at level 1. With the risks established, let's look at the technical architecture of these machine identities.

The role of non-human identity in provenance

Honestly, we talk a lot about "who" built the code, but in a modern pipeline, the "who" is almost always a machine. If you don't manage these non-human identities (nhi), your provenance is basically a pinky swear.

Every build runner or service account has a lifecycle that needs watching. If a runner’s identity isn't attested, an attacker could hijack the process and sign malicious artifacts with legitimate keys.

• Identity Attestation: Before signing, the system must prove the runner is authorized and untampered.
• Lifecycle Risks: In industries like healthcare, where HIPAA compliance is a nightmare, a stale api key on a build server is a massive backdoor that could leak patient data.
• Hardened Runners: As noted earlier by the slsa framework, Build L3 requires total isolation so build secrets stay hidden from the user code.

Managing these complex risks is why groups like the Non-Human Identity Management Group (NHIMG) are pushing for better frameworks around workload trust. Now that we get the "why," let's dive into how to actually implement this without breaking your pipelines.

Implementing identity attestation in your ci/cd

So, we’ve talked about the theory, but how do you actually stop your ci/cd from being a "pinky swear" operation? It comes down to binding your workload identity directly to the slsa metadata so nobody can mess with it later.

Most modern pipelines use oidc to grab short-lived tokens. This is huge because it means your build runner doesn't need a long-lived password that could get stolen. Instead, the runner proves who it is to an issuer (like GitHub Actions, GitLab, or a corporate Vault), gets a token, and uses that to sign the provenance.

• OIDC Tokens: Use these for machine-to-machine trust without static secrets.
• Verification Summary Attestations (VSA): As mentioned earlier by the gitlab docs, these help you summarize complex build checks into a simple "yes/no" for your production gates.
• Secret Management: Keep your signing keys in a hardened kms. If a dev can see the key, so can an attacker.

When the artifact hits production, your verifier (like a Kubernetes admission controller) checks the signature. It asks: "Is this signed by the specific build runner identity I trust?" If a retail app or a healthcare database sees a signature from an unauthorized nhi, it just won't run.

Honestly, implementing this isn't just about security—it's about sleep. By combining cryptographic identity attestation with the slsa framework, you create a supply chain that's actually verifiable. It moves us away from "trusting" that a build is safe to actually proving it, ensuring that every piece of code in your environment has a legitimate, non-human identity behind it.