#18DELIVERYPACKAGEElite
Artifact Provenance
Trace commit → image → digest chain
Medium
Overview
Cryptographically verifiable chain linking source commit to built artifact. Proves what code produced which artifact.
Why It Matters
Answer 'what commit is in prod?' definitively. Full traceability from code to container.
The Risk
Without provenance, you can't definitively answer 'what code is running in production?' Supply chain attacks can inject malicious artifacts. Compliance audits fail.
Implementation Components
A complete implementation of this capability includes:
- SLSA provenance generation during build
- Cryptographic link from commit SHA to artifact digest
- Signed attestations stored with artifact
- Automated verification during deployment
- Searchable provenance database
- Integration with artifact registry and git
Implementation Pattern
- 1Generate SLSA provenance
- 2Link commit hash to artifact digest
- 3Sign provenance
- 4Store alongside artifact
Tool Examples
These are examples, not endorsements. Choose what fits your context.
Dependencies
Requires (must have first)
Enhanced by (more effective with)
Enables (unlocks)
Same Phase
Other capabilities in this pipeline phase