Provenance Predicate - CI/CD Glossary Definition
A provenance predicate is the machine-readable part of a build attestation that says who built an artifact, from what source, and how, so consumers can verify its origin.
A provenance predicate is the structured claim inside a build attestation that records how an artifact was produced, including the builder, the source commit, and the build parameters, following formats such as SLSA and in-toto.
Provenance is the "how it was built" half of software supply-chain security, complementing an SBOM’s "what is inside".
What it records
A SLSA-style predicate captures the builder identity, the source repository and commit, the entry point (workflow), and the resolved inputs. A verifier checks these against policy before trusting the artifact.
In CI
GitHub Actions can generate signed provenance for build outputs; verifying it downstream blocks artifacts that did not come from your trusted pipeline.