Software Supply Chain Integrity in DevOps: Provenance, Attestations, and Tamper-Resistant Build Pipelines

Abstract

Modern delivery pipelines depend on third-party dependencies, build tools, and container ecosystems, expanding the attack surface of software supply chains. This research develops an integrity-first build pipeline model based on verifiable provenance, signed attestations, and artifact immutability. The paper evaluates approaches to dependency pinning, reproducible builds, and secure artifact promotion across environments. Findings indicate that integrating attestations into release workflows substantially reduces exposure to dependency substitution and artifact tampering while improving traceability for incident response.