52 lines
1.6 KiB
Markdown
52 lines
1.6 KiB
Markdown
# Provenance
|
|
|
|
> Provenance attestation library for SLSA/DSSE compliance.
|
|
|
|
## Purpose
|
|
|
|
Provenance provides deterministic, verifiable provenance attestations for all StellaOps artifacts. It enables SLSA compliance through DSSE statement generation, Merkle tree construction, and cryptographic verification.
|
|
|
|
## Quick Links
|
|
|
|
- [Architecture](./architecture.md) - Technical design and implementation details
|
|
- [Guides](./guides/) - Attestation generation guides
|
|
|
|
## Status
|
|
|
|
| Attribute | Value |
|
|
|-----------|-------|
|
|
| **Maturity** | Production |
|
|
| **Last Reviewed** | 2025-12-29 |
|
|
| **Maintainer** | Security Guild |
|
|
|
|
## Key Features
|
|
|
|
- **DSSE Statement Generation**: Build provenance attestations per DSSE spec
|
|
- **SLSA Compliance**: Support for SLSA build predicates
|
|
- **Merkle Tree Construction**: Content-addressed integrity verification
|
|
- **Promotion Attestations**: Track artifact promotions across environments
|
|
- **Verification Harness**: Validate attestation chains
|
|
|
|
## Dependencies
|
|
|
|
### Upstream (this module depends on)
|
|
- **Signer/KMS** - Key management for signing (delegated)
|
|
|
|
### Downstream (modules that depend on this)
|
|
- **Attestor** - Stores generated attestations
|
|
- **EvidenceLocker** - Evidence bundle attestations
|
|
- **ExportCenter** - Export attestations
|
|
|
|
## Notes
|
|
|
|
Provenance is a **library**, not a standalone service. It does not:
|
|
- Store attestations (handled by Attestor and EvidenceLocker)
|
|
- Hold signing keys (delegated to Signer/KMS)
|
|
|
|
All attestation outputs are deterministic with canonical JSON serialization.
|
|
|
|
## Related Documentation
|
|
|
|
- [Attestor Architecture](../attestor/architecture.md)
|
|
- [DSSE Specification](../../security/trust-and-signing.md)
|