What Is Build Integrity? Trusting That Your Artifact Was Not Tampered With
Build integrity is the assurance that an artifact was built from exactly the expected source, by exactly the expected process, with no tampering in between.
You review the source code and you trust the final artifact, but what happened in between? Build integrity is about that gap: proving the binary you ship really came from the source you reviewed, through a build nobody subverted. It is the property that supply-chain attacks like SolarWinds specifically targeted by tampering mid-build.
What can go wrong in the middle
- A malicious dependency injects code during the build.
- A compromised build server alters the output.
- The artifact is swapped after the build but before release.
- A poisoned build script changes what gets produced.
Establishing integrity
Build integrity is built from several practices: a hardened, isolated build environment so the build cannot be tampered with; signed provenance recording how the artifact was made; and reproducible builds so anyone can confirm the same source yields the same binary.
Verifying it downstream
Consumers verify integrity by checking provenance and attestations: does this artifact have valid, signed provenance? Does it name the expected source and builder? Does its digest match? A deployment gate can require all of this before accepting the artifact.
Reproducible builds as proof
If a build is reproducible, two independent parties building the same source get byte-identical artifacts. That lets anyone confirm the released binary genuinely corresponds to the source, with no hidden additions, the strongest form of integrity evidence.
The build environment is the foundation
Every integrity guarantee rests on a trustworthy builder. If the build environment can be tampered with, its provenance and signatures attest to a compromised process. Isolated, ephemeral build environments (like Latchkey runners) give each build a clean, contained foundation so the integrity claims are meaningful.
Key takeaways
- Build integrity assures the artifact matches the source via an untampered build.
- Hardened builders, signed provenance, and reproducible builds establish it.
- Downstream gates verify provenance and attestations before accepting an artifact.