Artifact provenance is the origin and history of a digital file or package: who created it, where it came from, how it was built, and whether it changed in transit. In security work, provenance helps answer a basic question: is this artifact the legitimate output of a trusted process, or a tampered file pretending to be harmless?
It matters because attackers often hide malware inside familiar delivery channels, such as software repositories, release pages, or shared downloads. A file may look trustworthy by reputation alone, yet still be malicious if its publisher, build path, or hash does not match expected values. Defenders use provenance checks to compare file hashes, verify signatures, inspect repository ownership, and correlate release history with normal behavior.
In practice, strong provenance reduces blind trust. It helps security teams spot fake installers, altered scripts, and hijacked releases before they reach endpoints.