Skip to content
Latchkey

What Is Build Provenance?

Build provenance is a tamper-evident record describing exactly how a software artifact was produced: which source commit, which build system, which inputs, and which steps. Typically signed and attached to the artifact, it lets consumers verify that a binary came from a trusted pipeline rather than an attacker. It is central to modern supply-chain security frameworks like SLSA.

Why it matters

Knowing what a binary is is not enough; you need to know where it came from. Provenance answers that with verifiable evidence, so a compromised dependency or rogue build can be detected. GitHub Actions can generate provenance attestations for artifacts automatically.

Related concepts

  • SLSA defines provenance requirements by level
  • Often expressed as an in-toto attestation
  • SBOMs complement provenance by listing components

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →