Provenance
Provenance attestation library for SLSA/DSSE compliance.
Purpose
Provenance provides deterministic, verifiable provenance attestations for all StellaOps artifacts. It enables SLSA compliance through DSSE statement generation, Merkle tree construction, and cryptographic verification.
Quick Links
- Architecture - Technical design and implementation details
- Guides - Attestation generation guides
Status
| Attribute | Value |
|---|---|
| Maturity | Production |
| Last Reviewed | 2025-12-29 |
| Maintainer | Security Guild |
Key Features
- DSSE Statement Generation: Build provenance attestations per DSSE spec
- SLSA Compliance: Support for SLSA build predicates
- Merkle Tree Construction: Content-addressed integrity verification
- Promotion Attestations: Track artifact promotions across environments
- Verification Harness: Validate attestation chains
Dependencies
Upstream (this module depends on)
- Signer/KMS - Key management for signing (delegated)
Downstream (modules that depend on this)
- Attestor - Stores generated attestations
- EvidenceLocker - Evidence bundle attestations
- ExportCenter - Export attestations
Notes
Provenance is a library, not a standalone service. It does not:
- Store attestations (handled by Attestor and EvidenceLocker)
- Hold signing keys (delegated to Signer/KMS)
All attestation outputs are deterministic with canonical JSON serialization.