Class: SourceProvenanceAttestation

An attestation describing how a source revision came to exist: where it was hosted, when it was generated, what process was used, who the contributors were, and which technical controls were enforced by the Source Control System.

URI: slsa:SourceProvenanceAttestation

 classDiagram
    class SourceProvenanceAttestation
    click SourceProvenanceAttestation href "../SourceProvenanceAttestation/"
      Statement <|-- SourceProvenanceAttestation
        click Statement href "../Statement/"

      SourceProvenanceAttestation : _type

      SourceProvenanceAttestation : attestationStorageUri

      SourceProvenanceAttestation : controlsEnforced

      SourceProvenanceAttestation : predicate

      SourceProvenanceAttestation : predicateType

      SourceProvenanceAttestation : revision





        SourceProvenanceAttestation --> "0..1" SourceRevision : revision
        click SourceRevision href "../SourceRevision/"



      SourceProvenanceAttestation : signingTool

      SourceProvenanceAttestation : sigstoreLogEntry

      SourceProvenanceAttestation : sourceLevel





        SourceProvenanceAttestation --> "0..1" SourceLevelEnum : sourceLevel
        click SourceLevelEnum href "../SourceLevelEnum/"



      SourceProvenanceAttestation : subject





        SourceProvenanceAttestation --> "1..*" ResourceDescriptor : subject
        click ResourceDescriptor href "../ResourceDescriptor/"

Inheritance

Statement
- SourceProvenanceAttestation

Slots

Name	Cardinality and Range	Description	Inheritance
revision	0..1 SourceRevision	The source revision that this attestation describes	direct
sourceLevel	0..1 SourceLevelEnum	The SLSA Source Level achieved or verified for a source repository or revisio...	direct
controlsEnforced	* String	Technical controls actively enforced by the Source Control System when this r...	direct
_type	1 String	Always "https://in-toto	Statement
subject	1..* ResourceDescriptor	The set of software artifacts to which a predicate applies	Statement
predicateType	1 String	URI identifying the schema and semantics of the predicate field	Statement
predicate	0..1 String	The attestation payload — an arbitrary JSON object whose schema is fully dete...	Statement
attestationStorageUri	0..1 String	URI indicating where this signed attestation is publicly stored or retrievabl...	Statement
signingTool	0..1 String	URI or name of the tool used to cryptographically sign the artifact or attest...	Statement
sigstoreLogEntry	0..1 String	URI of the Rekor transparency log entry recording this attestation or artifac...	Statement

In Subsets

SlsaSourceTrack

Identifier and Mapping Information

Schema Source

from schema: https://w3id.org/lmodel/slsa

Mappings

Mapping Type	Mapped Value
self	slsa:SourceProvenanceAttestation
native	slsa:SourceProvenanceAttestation

LinkML Source

Direct

name: SourceProvenanceAttestation
description: 'An attestation describing how a source revision came to exist: where
  it was hosted, when it was generated, what process was used, who the contributors
  were, and which technical controls were enforced by the Source Control System.'
in_subset:
- slsa_source_track
from_schema: https://w3id.org/lmodel/slsa
is_a: Statement
slots:
- revision
- sourceLevel
- controlsEnforced

Induced

name: SourceProvenanceAttestation
description: 'An attestation describing how a source revision came to exist: where
  it was hosted, when it was generated, what process was used, who the contributors
  were, and which technical controls were enforced by the Source Control System.'
in_subset:
- slsa_source_track
from_schema: https://w3id.org/lmodel/slsa
is_a: Statement
attributes:
  revision:
    name: revision
    description: The source revision that this attestation describes.
    in_subset:
    - slsa_source_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: revision
    owner: SourceProvenanceAttestation
    domain_of:
    - SourceProvenanceAttestation
    range: SourceRevision
    inlined: true
  sourceLevel:
    name: sourceLevel
    description: The SLSA Source Level achieved or verified for a source repository
      or revision.
    in_subset:
    - slsa_source_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: sourceLevel
    owner: SourceProvenanceAttestation
    domain_of:
    - SourceRepository
    - SourceProvenanceAttestation
    range: SourceLevelEnum
  controlsEnforced:
    name: controlsEnforced
    description: Technical controls actively enforced by the Source Control System
      when this revision was created (e.g., "two-party review", "branch protection",
      "status checks").
    notes:
    - 'Two-party review feasibility (Tamanna et al., 2024, LF.2): Many open-source
      projects have a single maintainer, making the two-party review requirement impractical.
      Pair programming and mob programming were raised as contested alternatives whose
      security equivalence has not been formally established. Use the reviewType slot
      on SourceRevision to record the specific form of review applied.'
    in_subset:
    - slsa_source_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: controlsEnforced
    owner: SourceProvenanceAttestation
    domain_of:
    - SourceProvenanceAttestation
    range: string
    multivalued: true
  _type:
    name: _type
    description: Always "https://in-toto.io/Statement/v1". Identifies the in-toto
      statement schema version and namespace.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: _type
    owner: SourceProvenanceAttestation
    domain_of:
    - Statement
    range: string
    required: true
  subject:
    name: subject
    description: The set of software artifacts to which a predicate applies. Each
      entry MUST contain a digest.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: subject
    owner: SourceProvenanceAttestation
    domain_of:
    - Statement
    range: ResourceDescriptor
    required: true
    multivalued: true
    inlined: true
    inlined_as_list: true
  predicateType:
    name: predicateType
    description: URI identifying the schema and semantics of the predicate field.
      Used to distinguish different attestation types (e.g., SLSA Provenance vs. Verification
      Summary Attestation).
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: predicateType
    owner: SourceProvenanceAttestation
    domain_of:
    - Statement
    range: string
    required: true
  predicate:
    name: predicate
    description: The attestation payload — an arbitrary JSON object whose schema is
      fully determined by predicateType.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: predicate
    owner: SourceProvenanceAttestation
    domain_of:
    - Statement
    range: string
  attestationStorageUri:
    name: attestationStorageUri
    description: 'URI indicating where this signed attestation is publicly stored
      or retrievable. No universal standard for attestation storage location was established
      in SLSA v1.0; Sigstore and VCS-embedded storage are two common approaches. Explicitly
      recording this URI addresses the storage ambiguity identified as a significant
      adoption barrier: practitioners reported uncertainty about where generated attestations
      should be stored (Tamanna et al., 2024, LF.1).'
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    - slsa_adoption_study
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: attestationStorageUri
    owner: SourceProvenanceAttestation
    domain_of:
    - Statement
    range: string
  signingTool:
    name: signingTool
    description: URI or name of the tool used to cryptographically sign the artifact
      or attestation (e.g., "https://github.com/sigstore/cosign", "https://github.com/notaryproject/notation").
      In the SSF reference architecture the Signing Service layer is distinct from
      the Build Service; recording the signing tool enables verifiers to select the
      matching verification workflow. For Sigstore keyless signing the value should
      be the Cosign release URI.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_ssf
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: signingTool
    owner: SourceProvenanceAttestation
    domain_of:
    - Statement
    range: string
  sigstoreLogEntry:
    name: sigstoreLogEntry
    description: URI of the Rekor transparency log entry recording this attestation
      or artifact signature (e.g., "https://rekor.sigstore.dev/api/v1/log/entries/24296fb...").
      The Rekor log provides an immutable, auditable record of signing events that
      underpins Sigstore keyless signing. Verifiers can fetch this entry to confirm
      the cryptographic signature was recorded in the public-good log and obtain the
      signing certificate chain issued by Fulcio. Recording this URI enables offline
      and third-party verification without requiring direct access to the original
      signing key.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_ssf
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: sigstoreLogEntry
    owner: SourceProvenanceAttestation
    domain_of:
    - Statement
    range: string