Supply Chain Provenance Verification
A structured toolkit for verifying the provenance of open-source dependencies in production pipelines — covering inventory, hash verification, registry monitoring, and maturity progression.
Asset Type: Toolkit
Edition: 2026-04-13
When to Use This Toolkit
Deploy this toolkit when any of the following conditions apply to your environment:
Onboarding Dependencies
Onboarding new open-source dependencies into a production pipeline
Responding to Compromise
Responding to a supply chain compromise disclosure affecting tools in your environment (e.g. the Trivy/Axios class of attack)
Pipeline Security Audit
Conducting a pipeline security audit ahead of a compliance review or architecture change
Velocity Over Provenance
Engineering teams are prioritising deployment velocity over provenance verification
Not applicable for: first-party code, proprietary vendor-supplied binaries with independent signing chains, or environments already enforcing SLSA Level 3+ compliance.
1: Inventory Dependencies
Generate a full software bill of materials (SBOM) for all continuous integration pipelines. Include transitive dependencies, not just direct imports.
2: Generate Lockfiles with Cryptographic Hashes
What to do
For each package manager in use (npm, pip, cargo, go.sum, etc.), generate or update lockfiles that record the expected cryptographic hash for every dependency.
Treat the lockfile as a signed artefact under source control.
Supported Package Managers
- npm ≥ 5
- pip with pip-tools
- cargo (native)
- go.sum (Go modules)
3: Enforce Hash Verification at Build Time
Configure Build Environment
Configure the build environment to fail by default if a downloaded package hash deviates from the lockfile.
Block Outbound Network Access
Block outbound network access from the build server to prevent dynamic code fetching during compilation.
4: Monitor for Registry Anomalies
Subscribe to Advisories
Subscribe to the security advisories for all package registries in use.
Automated Alerts
Configure automated alerts when a package version previously ingested by your pipeline receives a security flag.
5: Restrict Access
Limit Modification Rights
Limit which engineers can modify the lockfile or override hash verification failures.
Privileged Access Event
Treat bypass permissions as a privileged access event requiring documented approval.
Minimum Version / Prerequisites
Before deploying this toolkit, ensure your environment meets the following prerequisites:
1
Package Manager Lockfile Support
npm ≥ 5, pip with pip-tools, cargo native, Go modules
2
CI/CD Platform
CI/CD platform with build failure policies configurable per step
3
SBOM Generation Tooling
Syft, Trivy SBOM mode, or equivalent
4
Internal Artefact Registry
Internal artefact registry for caching verified packages
Maturity Path
Progress through four stages of supply chain provenance maturity, from foundational lockfile hygiene to full SLSA Level 3+ compliance.
1
2
3
4
1
Baseline
Lockfiles with hashes present in source control; build fails on hash mismatch
2
Managed
Automated SBOM generation on every build; anomaly alerting active
3
Advanced
Air-gapped internal registry; all packages verified before ingestion; SLSA Level 2
4
Optimised
SLSA Level 3+; provenance attestations signed by build system; full audit trail per artefact
Ready to Verify Your Supply Chain?
This toolkit covers the full lifecycle — from dependency inventory and cryptographic lockfiles, to registry monitoring, access restriction, and a clear maturity path toward SLSA Level 3+ compliance. Follow the five steps and progress through the maturity stages to build a resilient, auditable supply chain provenance practice.
Step 1
Inventory Dependencies
Step 2
Generate Lockfiles
Step 3
Enforce Hash Verification
Step 4
Monitor Registries
Step 5
Restrict Access