Not Just Ticking a Box βοΈ: Establishing Trust in Artifacts with Provenance ππ
When you consume a software artifact in production, do you know its provenance? Just as physical products have stamps and certifications documenting their origin and quality, software artifacts need verifiable provenance to establish trust in the supply chain.
This presentation explores how attestations and provenance data enable organizations to move beyond checkbox compliance toward genuine supply chain security. We demonstrate practical approaches to establishing trust in software artifacts through SLSA provenance, in-toto attestations, and the Konflux open source software factory.
Key Topics
- Software Supply Chain Security - Moving from physical world trust mechanisms to software artifact verification
- Attestations as Trust Anchors - Understanding in-toto attestation framework and verifiable claims
- SLSA Provenance - Implementing Supply-chain Levels for Software Artifacts
- Konflux Project - Building a security-first, cloud-native software factory with built-in attestation support
Links
- Event: Open Source Summit NA
- Konflux: konflux-ci.dev
- SLSA Framework: slsa.dev
- in-toto Attestations: in-toto.io
- Ralphβs Slides: ralphbean.github.io/slides/oss-na/2025/provenance.html
Speakers: Andrew McNamara & Ralph Bean, Red Hat