Inferensys

Glossary

SLSA Provenance

SLSA provenance is a cryptographically signed, tamper-proof attestation that describes the origin, build process, and dependencies of a software artifact to prevent supply chain attacks.
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.
SUPPLY CHAIN INTEGRITY

What is SLSA Provenance?

SLSA provenance is a verifiable, tamper-proof attestation that cryptographically documents the origin, build process, and dependencies of a software artifact to prevent supply chain attacks.

SLSA provenance is a machine-readable, cryptographically signed statement that describes how a software artifact was created, including the exact source repository, build system, entry point, and materials used. It is a core requirement of the Supply-chain Levels for Software Artifacts (SLSA) framework, providing a non-repudiable record that allows consumers to verify that an artifact was generated from trusted source code through an authorized build pipeline, not tampered with post-build.

A provenance attestation is generated by a trusted build service and stored alongside the artifact in a registry using the in-toto metadata format. It captures the complete build recipe, including all input hashes and environment variables, creating a verifiable chain of custody. Tools like Cosign and Sigstore are used to sign these attestations, enabling automated policy enforcement in admission controllers that reject artifacts lacking valid provenance, thereby mitigating dependency confusion and compromised build infrastructure attacks.

SUPPLY CHAIN INTEGRITY

Key Features of SLSA Provenance

SLSA Provenance provides a cryptographically verifiable record of the build process, enabling organizations to trace artifacts back to their source and prevent supply chain attacks.

02

Hermetic Build Execution

A hermetic build runs in an isolated environment with no network access, ensuring all dependencies are declared and verified beforehand. This eliminates a critical attack vector where a compromised upstream package could inject malicious code mid-build.

  • All inputs are resolved and hashed before execution
  • No implicit reliance on mutable external resources
  • Guarantees bit-for-bit reproducibility of the output artifact
03

Verifiable Attestation Chains

SLSA uses in-toto attestations wrapped in a DSSE (Dead Simple Signing Envelope) format. Each attestation is cryptographically signed by the build platform's trusted key, creating an unbroken chain from source to artifact.

  • Attestations include the subject (the artifact digest) and the predicate (the provenance data)
  • Verification policies can be enforced at deploy time via Binary Authorization
  • Integrates with Sigstore for keyless signing using OIDC identities
05

Policy Enforcement at Deploy Time

Provenance data is not just for auditing—it actively gates deployments. Kubernetes admission controllers can validate SLSA attestations before a pod is scheduled, rejecting images that lack a trusted provenance or were built on an unapproved platform.

  • Integrates with OPA/Gatekeeper and Kyverno
  • Policies can require a minimum SLSA level for production namespaces
  • Prevents accidental deployment of developer-built images into secured environments
06

Integration with SBOMs

SLSA provenance complements the Software Bill of Materials (SBOM). While an SBOM lists what is inside an artifact, provenance attests to how those components were assembled. Together, they provide full supply chain transparency.

  • Provenance can reference an SBOM as a separate attestation
  • Enables automated vulnerability correlation: if a CVE is found, provenance traces it back to the exact build
  • Both are stored as OCI artifacts in the same registry as the image
SLSA PROVENANCE

Frequently Asked Questions

Clear answers to common questions about the SLSA framework, its implementation levels, and how it secures software supply chains against tampering.

SLSA provenance is a tamper-proof, cryptographically verifiable record that describes the origin, build process, and dependencies of a software artifact. It works by capturing metadata at build time—including the source repository, builder identity, build commands, and input materials—and encoding it into an in-toto attestation that is signed and stored alongside the artifact in a registry. This provenance document creates an unforgeable chain of custody, allowing downstream consumers to verify that the artifact was produced by a trusted builder from a specific source commit without unauthorized modifications. The framework defines four ascending levels of security rigor, from basic documentation (Level 1) to hermetic, isolated builds with reproducible outputs (Level 4).

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.