What is a necessary step to generate provenance for software builds to assure they are untampered?

Generating SLSA (Supply chain Levels for Software Artifacts) level 3 assurance using Cloud Build is crucial in establishing a solid provenance for software builds. SLSA is a framework designed to increase the confidence in the integrity of software artifacts throughout their lifecycle. Level 3 assurance specifically indicates a high level of confidence in the security and integrity of the build process.

To achieve SLSA level 3, specific processes must be employed during the build, such as ensuring the integrity of the source code, using tamper-evident storage for build logs, and leveraging automated tests. By utilizing Cloud Build, you can configure your builds to incorporate these necessary security checks and balances, ensuring that any artifacts created are verified and can be traced back to a secure process. This builds trust around your software's provenance, confirming that it has not been tampered with throughout the entire build pipeline.

Additionally, achieving this level of assurance ensures that the builds are compliant with security best practices, enhancing the overall security posture of the applications being developed. This comprehensive approach solidifies the confidence stakeholders have in the software being distributed and deployed.