DevOps Glossary

SLSA Provenance is signed build metadata that records where a software artifact came from, how it was built, and which build system produced it. SLSA stands for Supply-chain Levels for Software Artifacts. In practical terms, SLSA Provenance helps you verify that a container image, binary, package, or library was built from the expected source code by an approved CI/CD system, using documented build steps. It commonly includes details such as the source repository, commit, build command, builder identity, timestamps, and output artifact digest. Teams use it to detect tampering, support artifact verification in deployment pipelines, meet software supply chain security requirements, and trace production artifacts back to source. For example, before deploying a container image, a policy engine can check its provenance to confirm it was built by GitHub Actions or another trusted builder from the organization’s main repository, rather than from an unknown workstation or modified source.