Interview › Security & DevSecOps
How do you verify the provenance of a build artifact? [Intermediate]
Answer
To verify artifact provenance, I check the artifact digest, the signed provenance attestation, the builder identity, source repository, commit SHA, workflow identity, build parameters, and whether the attestation was issued by a trusted CI system. Then I enforce those checks in promotion or admission policy.
Technical explanation
Provenance should answer where, when, how, and from which source the artifact was built.
Verification should use immutable digests and trusted identities, not tags or untrusted metadata.
Policies should reject artifacts built from unprotected branches, unknown builders, missing provenance, or mismatched source repositories.
Hands-on example
Example: verify that image digest sha256:abc was built by GitHub Actions workflow release.yml from org/checkout at commit 1234 on a protected tag. If the provenance source or builder identity does not match policy, block promotion to production.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]