Skip to content
Latchkey

Provenance Predicate - CI/CD Glossary Definition

A provenance predicate is the machine-readable part of a build attestation that says who built an artifact, from what source, and how, so consumers can verify its origin.

A provenance predicate is the structured claim inside a build attestation that records how an artifact was produced, including the builder, the source commit, and the build parameters, following formats such as SLSA and in-toto.

Provenance is the "how it was built" half of software supply-chain security, complementing an SBOM’s "what is inside".

What it records

A SLSA-style predicate captures the builder identity, the source repository and commit, the entry point (workflow), and the resolved inputs. A verifier checks these against policy before trusting the artifact.

In CI

GitHub Actions can generate signed provenance for build outputs; verifying it downstream blocks artifacts that did not come from your trusted pipeline.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →