This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-slsa-build-provenance.md

1.2 KiB

Pattern: SLSA Build Provenance

Status: seed Readiness target: RL3 production Primary owners: artifact-store, product repos, Railiance platform Genesis family: Supply chain

Problem

Production artifacts are hard to trust if the platform cannot prove which source, builder, dependencies, and process produced them.

Context

Use this pattern for release pipelines, container builds, package publishing, artifact-store metadata, and deployment admission.

Forces

  • Provenance must be generated by a trustworthy build process.
  • Developers need usable build workflows.
  • Provenance must be verifiable after release.
  • Admission and incident response need artifact lineage.

Solution

Emit SLSA-style provenance for production artifacts, linking artifact digest to source repository, commit, builder identity, workflow, inputs, and build parameters.

Verification

  • Production artifacts carry verifiable provenance.
  • Provenance links to protected source and trusted builder identity.
  • Admission or release promotion checks provenance policy.
  • Incident triage can trace an artifact back to source and build.
  • Supply-Chain Provenance.
  • Protected Main Branch.
  • Quarantined Build Runner.
  • Signed Container Images.