Provenance
Provenance is verifiable metadata about an artifact's source and build, letting consumers trace and trust where software came from.
Provenance is the recorded, verifiable history of a software artifact: what source it was built from, which build system produced it, and what inputs went into it. Captured as a signed attestation, provenance lets a consumer answer "where did this come from?" with evidence rather than trust.
How It Works
Build systems emit provenance as an attestation bound to the artifact's digest. It typically names the builder identity, the source repository and commit, and the materials (inputs) consumed during the build. The statement is signed — with a managed key or keylessly against a public transparency log — so it cannot be forged or altered after the fact.
A verifier checks the signature and the recorded identity against a policy: it accepts provenance only from an expected builder and source. The SLSA framework grades how complete and tamper-resistant this provenance is, from a basic signed statement up to hardened, non-falsifiable build records.
Why It Matters
Most supply-chain attacks work by slipping a malicious change into the build or distribution path. Provenance closes that gap: if the artifact you received doesn't carry provenance from the builder and source you expect, you don't run it. It turns "we think this came from our pipeline" into a checkable fact, which is why regulators and enterprise buyers increasingly ask for it.
Related Terms
Provenance is delivered as an attestation, graded by SLSA, often shipped alongside an SBOM, and is a core control of supply-chain security.