git.stella-ops.org/docs/doctor/articles/compliance/provenance-completeness.md

checkId, plugin, severity, tags

checkId	plugin	severity	tags
check.compliance.provenance-completeness	stellaops.doctor.compliance	fail	compliance provenance slsa

Provenance Completeness

What It Checks

Verifies that provenance records exist for all releases by querying the Provenance service at /api/v1/provenance/completeness. The check computes a completeness rate as (totalReleases - missingCount) / totalReleases and evaluates the SLSA (Supply-chain Levels for Software Artifacts) level:

Condition	Result
Provenance service unreachable	Warn
Completeness rate < 99%	Fail
SLSA level < 2 (but completeness >= 99%)	Warn
Completeness >= 99% and SLSA level >= 2	Pass

Evidence collected: completeness_rate, total_releases, missing_count, slsa_level.

The check only runs when Provenance:Url or Services:Provenance:Url is configured. It uses a 15-second HTTP timeout. If no releases exist (totalReleases == 0), completeness defaults to 100%.

Why It Matters

Provenance records document the complete history of how a software artifact was built, including the source code, build system, and build steps. Without provenance, there is no verifiable link between source code and the deployed artifact. This is a foundational requirement for SLSA compliance and supply-chain security. Missing provenance for even a small percentage of releases creates audit gaps that undermine the trustworthiness of the entire release pipeline.

Common Causes

• Build pipeline not configured to generate provenance attestations
• Provenance upload failures due to network or authentication issues
• Legacy releases created before provenance generation was enabled
• Manual deployments that bypass the standard build pipeline
• Build system not meeting SLSA level 2+ requirements

How to Fix

Docker Compose

# List releases missing provenance
docker compose exec provenance stella provenance audit --missing

# Generate backfill provenance for existing releases (dry run first)
docker compose exec provenance stella provenance backfill --dry-run

# If dry run looks correct, run the actual backfill
docker compose exec provenance stella provenance backfill

# Check SLSA level
docker compose exec provenance stella provenance slsa-level

# Ensure provenance generation is enabled in the pipeline
# Provenance__Enabled=true
# Provenance__SlsaLevel=2

Bare Metal / systemd

# List releases missing provenance
stella provenance audit --missing

# Backfill provenance (dry run first)
stella provenance backfill --dry-run

# Check SLSA level configuration
stella provenance slsa-level

# Configure in appsettings.json
# "Provenance": { "Enabled": true, "SlsaLevel": 2 }

sudo systemctl restart stellaops-provenance

Kubernetes / Helm

# values.yaml
provenance:
  enabled: true
  slsaLevel: 2
  backfill:
    enabled: true
    schedule: "0 3 * * 0"  # Weekly Sunday 3am

# List missing provenance
kubectl exec deploy/stellaops-provenance -- stella provenance audit --missing

# Backfill
kubectl exec deploy/stellaops-provenance -- stella provenance backfill --dry-run

helm upgrade stellaops ./charts/stellaops -f values.yaml

Verification

stella doctor run --check check.compliance.provenance-completeness

Related Checks

• check.compliance.attestation-signing — signing key required for provenance attestations
• check.compliance.evidence-rate — evidence generation rate includes provenance records
• check.compliance.evidence-integrity — integrity of provenance evidence
• check.evidencelocker.provenance — provenance chain integrity at the storage level
• check.compliance.framework — compliance frameworks may require specific SLSA levels