This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-slsa-build-provenance.md

44 lines
1.2 KiB
Markdown

# Pattern: SLSA Build Provenance
Status: seed
Readiness target: RL3 production
Primary owners: artifact-store, product repos, Railiance platform
Genesis family: Supply chain
## Problem
Production artifacts are hard to trust if the platform cannot prove
which source, builder, dependencies, and process produced them.
## Context
Use this pattern for release pipelines, container builds, package
publishing, artifact-store metadata, and deployment admission.
## Forces
- Provenance must be generated by a trustworthy build process.
- Developers need usable build workflows.
- Provenance must be verifiable after release.
- Admission and incident response need artifact lineage.
## Solution
Emit SLSA-style provenance for production artifacts, linking artifact
digest to source repository, commit, builder identity, workflow, inputs,
and build parameters.
## Verification
- Production artifacts carry verifiable provenance.
- Provenance links to protected source and trusted builder identity.
- Admission or release promotion checks provenance policy.
- Incident triage can trace an artifact back to source and build.
## Related Patterns
- Supply-Chain Provenance.
- Protected Main Branch.
- Quarantined Build Runner.
- Signed Container Images.