Skip to content
Provenance

SLSA Source Track: Proving Who Authored Every Line of Code

Using SLSA supply chain levels to cryptographically verify human vs. autonomous agent authorship of each commit in production.

Advanced 8 min read Updated May 2026

SLSA (Supply Chain Levels for Software Artifacts) is a framework for securing software supply chains. Its Source Track component does something most teams haven't yet needed: it proves, cryptographically, who—or what—authored every single commit in production.

With autonomous coding agents now writing 35% of internal merged PRs at Cursor (CEO disclosure, late February / early March 2026) and over 1 million pull requests across GitHub in five months (Octoverse 2025), proving agent vs. human authorship isn't a nice-to-have anymore. It's the foundation of compliance, incident response, and liability clarity.

What SLSA Levels Are

SLSA v1.0 splits supply-chain assurance into separate tracks (Build, Source, and others). The Build Track defines three numeric levels (L1–L3); the Source Track v1.2 defines L1–L4 (L4 introduces two-party review of source changes). The Build Track has no L4 — the previous v0.1 model that included a Build L4 was restructured for v1.0.

The Build Track levels:

Level Requirement Typical Setup
Level 0 No security claims Ad-hoc or no build process
Level 1 Provenance exists, generated by some process Build happens, logs kept
Level 2 Provenance signed by the build platform; hosted builder Hosted CI/CD (GitHub Actions, GitLab CI)
Level 3 Hardened, isolated builder; provenance unforgeable by tenants Reproducible builds, isolated environments

The Source Track is its own track with its own L1–L3 ladder, covered later in this article.

Most organizations targeting SLSA compliance start with Build Track Level 2, which requires:

  1. A hosted build platform (GitHub Actions, not Jenkins in a closet)
  2. Signed provenance attestations for every artifact
  3. Proof of what went into the build (source commit, dependencies)

For teams using autonomous coding agents, Level 2 is the minimum viable threshold. It proves which commits the build system actually used, and when combined with Source Track, proves who authored those commits.

Source Track: The Agent Authorship Layer

Source Track is SLSA's way of proving authorship at the commit level. The question it answers: "For every line of code in this production artifact, did a human write it, did an AI agent write it, or did both?"

A SLSA Source Track provenance attestation includes:

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "ghcr.io/myorg/myapp:sha256-abc123",
      "digest": { "sha256": "abc123def456..." }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v1",
  "predicate": {
    "buildDefinition": {
      "externalParameters": {
        "source": "https://github.com/myorg/myapp",
        "trigger": "push",
        "entry_point": "build.sh"
      },
      "internalParameters": {
        "buildConfig": "... CI/CD pipeline definition ..."
      }
    },
    "resolvedDependencies": [
      {
        "uri": "git+https://github.com/myorg/myapp@refs/heads/main",
        "digest": { "gitCommit": "abc123def456..." },
        "downloadLocation": "https://github.com/myorg/myapp",
        "properties": {
          "commits": [
            {
              "hash": "abc123def456",
              "author": "[email protected]",
              "authored_by": "human"
            },
            {
              "hash": "def456ghi789",
              "author": "github.com/copilot-agent-v3",
              "authored_by": "autonomous_agent",
              "agent_model": "gpt-4-turbo-2024-12",
              "agent_timestamp": "2026-04-29T14:32:15Z"
            }
          ]
        }
      }
    ],
    "buildMetadata": {
      "invocationId": "build-2026-04-29-153000",
      "startTime": "2026-04-29T15:30:00Z",
      "finishTime": "2026-04-29T15:35:22Z",
      "completeness": {
        "parameters": true,
        "environment": false,
        "materials": true
      },
      "reproducible": false
    }
  }
}

The critical part is the resolvedDependencies[0].properties.commits[] array. For each commit in the build:

  • author — Git author name (Alice, Copilot, Replit, etc.)
  • authored_by — Classification: human, autonomous_agent, or co_authored
  • agent_model — If agent, which model version? (e.g., gpt-4-turbo-2024-12)
  • agent_timestamp — When did the agent generate the code?

This transforms the question "Who wrote this?" from a git-blame search into a verified claim backed by cryptographic signatures.

How SLSA Source Track Works

Step 1: Classify Commits During Build

Your CI/CD pipeline (GitHub Actions, GitLab CI, etc.) queries your source control system at build time:

# For each commit in the build:
git log --format='%H|%an|%ae' <commit-range> | while read hash author email; do
  # Query: did an autonomous agent write this commit?
  agent_metadata=$(query_agent_db "$hash" "$author" "$email")
  
  if [ -n "$agent_metadata" ]; then
    echo "Commit $hash authored by agent: $agent_metadata"
  else
    echo "Commit $hash authored by human: $author"
  fi
done

For this to work, your agent authoring system (Copilot, Cursor, Replit, etc.) must write metadata to git:

  • Set the commit author to a consistent identifier (copilot-agent-v3, replit-agent-prod)
  • Include agent model version and timestamp in the commit message or extended attributes
  • Sign the commit with the agent's key (Sigstore keyless signing)

Step 2: Generate the SLSA Attestation

Once the build is complete, generate an in-toto provenance attestation that includes the resolved commits:

# Using in-toto-run to generate attestation
in-toto-run \
  --step-name build \
  --products build-artifact-sha256.json \
  -- bash build.sh

# Add SLSA provenance with source track
slsa-provenance-generator \
  --artifact ghcr.io/myorg/myapp:sha256-abc123 \
  --source-repo https://github.com/myorg/myapp \
  --commits-from-log git.log \
  --agent-metadata agent-metadata.json \
  > slsa-provenance.json

Step 3: Sign the Attestation with Sigstore

Sign the provenance attestation so it can't be forged after build time:

cosign attest \
  --predicate slsa-provenance.json \
  --type slsaprovenance \
  ghcr.io/myorg/myapp:sha256-abc123

The signature proves: "This provenance was created by our CI/CD system at this specific build, and no one has tampered with it since."

Step 4: Verify During Incident Response

Now, during an incident, you can query the provenance:

# Get the SLSA attestation for the deployed artifact
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp '^https://github.com/myorg/myapp/.github/workflows/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/myorg/myapp:sha256-abc123 \
  | jq .predicate.resolvedDependencies[0].properties.commits[]

Output:

{
  "hash": "abc123def456",
  "author": "[email protected]",
  "authored_by": "human"
}
{
  "hash": "def456ghi789",
  "author": "copilot-agent-v3",
  "authored_by": "autonomous_agent",
  "agent_model": "gpt-4-turbo-2024-12",
  "agent_timestamp": "2026-04-29T14:32:15Z"
}
{
  "hash": "ghi789jkl012",
  "author": "[email protected]",
  "authored_by": "human",
  "co_author": "copilot-agent-v3"
}

In a production incident, this tells you exactly which commits to scrutinize. If the problem is in the agent-authored section, focus there. If human code is the culprit, investigate the human review process.

Connecting SLSA to Regulatory Compliance

SLSA Source Track directly addresses regulatory mandates:

EU AI Act (Article 12 logging) — The provenance attestation is your event log. Every agent decision is recorded in the attestation.

FedRAMP 20x (SBOM as Key Security Indicator) — The provenance attestation links artifacts to their source commits. Combined with SBOM, you can trace every dependency back to an author (human or agent).

Executive Order 14028 — Requires SBOM and provenance for federal software procurement. SLSA Source Track satisfies both at once.

Current Adoption Gap

SLSA Source Track v1.2 was Approved in the v1.2 spec release (November 2025); ecosystem tooling adoption is still catching up. The main challenge is that today's autonomous agent platforms (Copilot, Cursor, Replit) don't yet consistently tag commits with agent identity and model version. Most commits from agents appear as human commits in git.

To close this gap:

  1. Agent platforms must commit code with consistent, cryptographically signed identifiers
  2. Git hosting services must expose agent metadata via APIs so CI/CD systems can query it
  3. CI/CD platforms must build SLSA attestation generation into their standard templates

Teams using agents in-house (custom LangChain or CrewAI systems) can implement this today. Teams relying on commercial agents should ask: "Does your product support SLSA Source Track generation? If not, how will we prove provenance to regulators?"

Implementation Path: Zero to SLSA Level 2 in CI/CD

Phase 1: Baseline (Week 1)

  • Implement GitHub Actions or GitLab CI as your build system (if not already)
  • Add a step that generates an attestation listing all commits in the build

Phase 2: Agent Metadata (Week 2–3)

  • If using autonomous agents, configure them to set consistent author identities
  • Create a mapping table: agent ID → model version → timestamp
  • Store this in git (metadata file) or in a queryable database

Phase 3: SLSA Attestation (Week 4)

  • Add slsa-github-generator action to your CI/CD pipeline
  • Configure it to include agent authorship data
  • Sign attestations with Sigstore cosign

Phase 4: Verification Gates (Week 5)

  • Add a verification step that checks SLSA attestation before deployment
  • Reject artifacts with unsigned or missing provenance
  • Log every verification result

Verizon DBIR Data: Why This Matters

Verizon's 2025 Data Breach Investigations Report found that 30% of confirmed breaches involved third-party involvement—up from 15% the prior year. When Sonatype reports 264-day faster vulnerability remediation with SBOMs, part of that speed comes from knowing which team authored which dependency. SLSA Source Track extends that to every commit.

If an autonomous agent shipped a vulnerability into production, SLSA Source Track tells you:

  • Exactly which commit introduced the vulnerability
  • Which agent version and model wrote it
  • When the agent generated the code
  • Who approved the deployment
  • How the code changed between agent generation and merge

That's the foundation of liability clarity—and regulatory compliance.

Sources

This article is part of the Provenance knowledge series (4 articles) Browse all Provenance articles →
Related Use Case

AI Code Traceability — Your developers don't write the code

Nobody has control anymore. Leaders have visibility.

Explore Use Case →

Continue Reading

View all Provenance articles →
Provenance
Provenance

State of AI Agent Code in Production

How autonomous coding agents are reshaping security, compliance, and incident response — and why regulatory frameworks haven't caught up.

18 min read Intermediate
Provenance
Provenance

Cryptographic Provenance for Coding-Agent Output

Use Sigstore keyless signing to bind agent identity, model version, and policy context into the OIDC token of every commit and artifact an autonomous coding agent produces.

11 min read Advanced
Provenance
Provenance

SLSA Build Track Level 3 for Agent-Generated Artifacts

What SLSA Build Track Level 3 actually requires when the source-track author is an autonomous coding agent — hermetic builds, isolated builders, and signed provenance you can verify with slsa-verifier.

12 min read Advanced