Class: BuildProvenance

An attestation predicate (predicateType "https://slsa.dev/provenance/v1") that describes how a set of output artifacts was produced by a build platform. Consumers use this to verify artifact authenticity and trace artifacts back through the supply chain.

URI: slsa:BuildProvenance

 classDiagram
    class BuildProvenance
    click BuildProvenance href "../BuildProvenance/"
      Statement <|-- BuildProvenance
        click Statement href "../Statement/"

      BuildProvenance : _type

      BuildProvenance : attestationStorageUri

      BuildProvenance : buildDefinition





        BuildProvenance --> "1" BuildDefinition : buildDefinition
        click BuildDefinition href "../BuildDefinition/"



      BuildProvenance : predicate

      BuildProvenance : predicateType

      BuildProvenance : runDetails





        BuildProvenance --> "1" RunDetails : runDetails
        click RunDetails href "../RunDetails/"



      BuildProvenance : signingTool

      BuildProvenance : sigstoreLogEntry

      BuildProvenance : subject





        BuildProvenance --> "1..*" ResourceDescriptor : subject
        click ResourceDescriptor href "../ResourceDescriptor/"

Inheritance

Statement
- BuildProvenance

Slots

Name	Cardinality and Range	Description	Inheritance
buildDefinition	1 BuildDefinition	All inputs to the build, sufficient to initialise and reproduce it	direct
runDetails	1 RunDetails	Details specific to this particular execution of the build, including builder...	direct
_type	1 String	Always "https://in-toto	Statement
subject	1..* ResourceDescriptor	The set of software artifacts to which a predicate applies	Statement
predicateType	1 String	URI identifying the schema and semantics of the predicate field	Statement
predicate	0..1 String	The attestation payload — an arbitrary JSON object whose schema is fully dete...	Statement
attestationStorageUri	0..1 String	URI indicating where this signed attestation is publicly stored or retrievabl...	Statement
signingTool	0..1 String	URI or name of the tool used to cryptographically sign the artifact or attest...	Statement
sigstoreLogEntry	0..1 String	URI of the Rekor transparency log entry recording this attestation or artifac...	Statement

Usages

used by	used in	type	used
BuildImage	provenance	range	BuildProvenance

In Subsets

SlsaBuildTrack

Notes

Top adoption challenge (Tamanna et al., 2024, CI.1 — 901 issues): Generating valid provenance is the highest-volume challenge theme in practitioner GitHub issues. Key sub-challenges include the blocking nature of check-verifier pre-submit jobs, lack of support for non-build configurations (e.g., GoReleaser publish-only steps), laborious multi-build script setup, and risk of leaking credentials or other sensitive data in externalParameters.

Identifier and Mapping Information

Schema Source

from schema: https://w3id.org/lmodel/slsa

Mappings

Mapping Type	Mapped Value
self	slsa:BuildProvenance
native	slsa:BuildProvenance

LinkML Source

Direct

name: BuildProvenance
description: An attestation predicate (predicateType "https://slsa.dev/provenance/v1")
  that describes how a set of output artifacts was produced by a build platform. Consumers
  use this to verify artifact authenticity and trace artifacts back through the supply
  chain.
notes:
- 'Top adoption challenge (Tamanna et al., 2024, CI.1 — 901 issues): Generating valid
  provenance is the highest-volume challenge theme in practitioner GitHub issues.
  Key sub-challenges include the blocking nature of check-verifier pre-submit jobs,
  lack of support for non-build configurations (e.g., GoReleaser publish-only steps),
  laborious multi-build script setup, and risk of leaking credentials or other sensitive
  data in externalParameters.'
in_subset:
- slsa_build_track
from_schema: https://w3id.org/lmodel/slsa
is_a: Statement
slots:
- buildDefinition
- runDetails

Induced

name: BuildProvenance
description: An attestation predicate (predicateType "https://slsa.dev/provenance/v1")
  that describes how a set of output artifacts was produced by a build platform. Consumers
  use this to verify artifact authenticity and trace artifacts back through the supply
  chain.
notes:
- 'Top adoption challenge (Tamanna et al., 2024, CI.1 — 901 issues): Generating valid
  provenance is the highest-volume challenge theme in practitioner GitHub issues.
  Key sub-challenges include the blocking nature of check-verifier pre-submit jobs,
  lack of support for non-build configurations (e.g., GoReleaser publish-only steps),
  laborious multi-build script setup, and risk of leaking credentials or other sensitive
  data in externalParameters.'
in_subset:
- slsa_build_track
from_schema: https://w3id.org/lmodel/slsa
is_a: Statement
attributes:
  buildDefinition:
    name: buildDefinition
    description: All inputs to the build, sufficient to initialise and reproduce it.
      REQUIRED at SLSA Build L1.
    in_subset:
    - slsa_build_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: buildDefinition
    owner: BuildProvenance
    domain_of:
    - SlsaDocument
    - BuildProvenance
    range: BuildDefinition
    required: true
    inlined: true
  runDetails:
    name: runDetails
    description: Details specific to this particular execution of the build, including
      builder identity and metadata. REQUIRED at SLSA Build L1.
    in_subset:
    - slsa_build_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: runDetails
    owner: BuildProvenance
    domain_of:
    - SlsaDocument
    - BuildProvenance
    range: RunDetails
    required: true
    inlined: true
  _type:
    name: _type
    description: Always "https://in-toto.io/Statement/v1". Identifies the in-toto
      statement schema version and namespace.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: _type
    owner: BuildProvenance
    domain_of:
    - Statement
    range: string
    required: true
  subject:
    name: subject
    description: The set of software artifacts to which a predicate applies. Each
      entry MUST contain a digest.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: subject
    owner: BuildProvenance
    domain_of:
    - Statement
    range: ResourceDescriptor
    required: true
    multivalued: true
    inlined: true
    inlined_as_list: true
  predicateType:
    name: predicateType
    description: URI identifying the schema and semantics of the predicate field.
      Used to distinguish different attestation types (e.g., SLSA Provenance vs. Verification
      Summary Attestation).
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: predicateType
    owner: BuildProvenance
    domain_of:
    - Statement
    range: string
    required: true
  predicate:
    name: predicate
    description: The attestation payload — an arbitrary JSON object whose schema is
      fully determined by predicateType.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: predicate
    owner: BuildProvenance
    domain_of:
    - Statement
    range: string
  attestationStorageUri:
    name: attestationStorageUri
    description: 'URI indicating where this signed attestation is publicly stored
      or retrievable. No universal standard for attestation storage location was established
      in SLSA v1.0; Sigstore and VCS-embedded storage are two common approaches. Explicitly
      recording this URI addresses the storage ambiguity identified as a significant
      adoption barrier: practitioners reported uncertainty about where generated attestations
      should be stored (Tamanna et al., 2024, LF.1).'
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_build_env_track
    - slsa_adoption_study
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: attestationStorageUri
    owner: BuildProvenance
    domain_of:
    - Statement
    range: string
  signingTool:
    name: signingTool
    description: URI or name of the tool used to cryptographically sign the artifact
      or attestation (e.g., "https://github.com/sigstore/cosign", "https://github.com/notaryproject/notation").
      In the SSF reference architecture the Signing Service layer is distinct from
      the Build Service; recording the signing tool enables verifiers to select the
      matching verification workflow. For Sigstore keyless signing the value should
      be the Cosign release URI.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_ssf
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: signingTool
    owner: BuildProvenance
    domain_of:
    - Statement
    range: string
  sigstoreLogEntry:
    name: sigstoreLogEntry
    description: URI of the Rekor transparency log entry recording this attestation
      or artifact signature (e.g., "https://rekor.sigstore.dev/api/v1/log/entries/24296fb...").
      The Rekor log provides an immutable, auditable record of signing events that
      underpins Sigstore keyless signing. Verifiers can fetch this entry to confirm
      the cryptographic signature was recorded in the public-good log and obtain the
      signing certificate chain issued by Fulcio. Recording this URI enables offline
      and third-party verification without requiring direct access to the original
      signing key.
    in_subset:
    - slsa_build_track
    - slsa_source_track
    - slsa_ssf
    from_schema: https://w3id.org/lmodel/slsa
    rank: 1000
    alias: sigstoreLogEntry
    owner: BuildProvenance
    domain_of:
    - Statement
    range: string