What Is Build Provenance?
Build provenance is a tamper-evident record describing exactly how a software artifact was produced: which source commit, which build system, which inputs, and which steps. Typically signed and attached to the artifact, it lets consumers verify that a binary came from a trusted pipeline rather than an attacker. It is central to modern supply-chain security frameworks like SLSA.
Why it matters
Knowing what a binary is is not enough; you need to know where it came from. Provenance answers that with verifiable evidence, so a compromised dependency or rogue build can be detected. GitHub Actions can generate provenance attestations for artifacts automatically.
Related concepts
- SLSA defines provenance requirements by level
- Often expressed as an in-toto attestation
- SBOMs complement provenance by listing components
Related guides
What Is SLSA?SLSA is a security framework that defines graduated levels of build-integrity assurance to harden software su…
What Is an SBOM (Software Bill of Materials)?A software bill of materials (SBOM) is a complete inventory of the components and dependencies that make up a…
What Is a Reproducible Build?A reproducible build produces bit-for-bit identical output every time from the same source, letting anyone in…