#18DELIVERYPACKAGEElite
Artifact Provenance
Trace commit → image → digest chain
Medium
Overview
Cryptographically verifiable chain linking source commit to built artifact. Proves what code produced which artifact.
Why It Matters
Answer 'what commit is in prod?' definitively. Full traceability from code to container.
Implementation Pattern
- 1Generate SLSA provenance
- 2Link commit hash to artifact digest
- 3Sign provenance
- 4Store alongside artifact
Tool Examples
These are examples, not endorsements. Choose what fits your context.
Dependencies
Requires (must have first)
Enhanced by (more effective with)
Enables (unlocks)
Same Phase
Other capabilities in this pipeline phase