Software provenance provides the auditable evidence needed to meet compliance objectives across regulatory, contractual, and policy requirements. By recording and verifiably linking every step from material sourcing to final artefact, provenance enables organizations to demonstrate control, transparency, and accountability in the software supply chain. Thus, software provenance for cloud services provides important evidences for EMERALD’s Compliance-as-a-Service.

Codyze-Provenance is an evidence extraction tool developed in EMERALD that collects provenance reports from CI/CD pipelines (cf. D2.9). These provenance reports build upon the SLSA and in-toto framework. SLSA is a security framework that defines levels of assurance for software artefacts, focusing on verifiable provenance, the integrity of the build environment, and reproducibility. It provides a maturity model and a concrete provenance schema. in-toto is complementary to SLSA and offers a practical, end-to-end attestation framework that can implement the provenance data in a flexible, interoperable way. It defines a configurable layout of steps in a CI/CD pipeline and per-step attestations, enabling end-to-end integrity assurance of the software supply chain.

Codyze-Provenance collects the provenance reports from each step in the CI/CD pipeline. The reports are processed into evidences and aligned with the CertGraph Ontology (cf. D2.10). This structure permits further compliance assessment within the EMERALD framework. Finally, Codyze-Provenance submits the evidences to the Evidence Store and Trustworthiness System within the EMERALD framework (cf. D3.4).

With the evidences from provenance reports, Codyze-Provenance enables cloud service providers to demonstrate control, transparency, and accountability in their software supply chain, while enabling cloud customers and auditors to validate the software supply chain. Thus, it contributes to EMERALD’s mission ensuring trust, compliance, and resilience in dynamic, multi-tenant cloud environments.