provenance
Definition
Provenance in the context of DevSecOps and application security refers to the documentation and tracking of the origin, history, and changes of software components and data throughout their lifecycle. This includes the identification of sources, authorship, and modifications to ensure integrity, accountability, and compliance with security policies. Provenance helps in understanding the lineage of software artifacts, which is crucial for auditing, debugging, and maintaining secure systems.
Secure Settings Example
# Example of a secure provenance tracking configuration in a CI/CD pipeline
version: '2.1'
jobs:
build:
docker:
- image: circleci/golang:1.16
steps:
- checkout
- run:
name: Record Build Provenance
command: |
echo "Build ID: $CIRCLE_BUILD_NUM" >> provenance.log
echo "Commit SHA: $CIRCLE_SHA1" >> provenance.log
echo "Build URL: $CIRCLE_BUILD_URL" >> provenance.log
- persist_to_workspace:
root: .
paths:
- provenance.log
Insecure Settings Example
# Example of an insecure configuration lacking provenance tracking
version: '2.1'
jobs:
build:
docker:
- image: circleci/golang:1.16
steps:
- checkout
- run:
name: Build Application
command: go build -o app
# No provenance information is recorded or tracked