Provenance verification confirms the origin and authenticity of software components. It answers the question: does this library or artifact actually come from the stated publisher, and was it tampered with in transit? Verification methods include digital signatures, hash comparisons, and SLSA attestations (Supply-chain Levels for Software Artifacts). Provenance checks are a key defense against supply-chain attacks, where attackers inject compromised packages into dependency repositories. In your CI/CD pipeline, you should verify provenance automatically before dependencies are incorporated. SBOMs (Software Bills of Materials) complement provenance verification by providing full transparency of included components.