Build provenance for package registries
10-27, 11:40–12:05 (Europe/Berlin), Main stage

Lessons learned from adding build provenance to the npm registry: linking npm packages back to their originating source code and build instructions using cloud CI/CD, Sigstore and SLSA.


Adding build provenance to a package registry is not a small undertaking, but it adds a major security capability in that packages can be transparent about what they contain and how they were built.

This talk will dive into challenges and lessons learned from adding build provenance to the npm registry and how other registries can add support for build provenance and leverage existing services and standards like Sigstore and SLSA.

Software engineer on the package security team at GitHub helping secure open source packages, previously worked on automating dependency updates with Dependabot.