Over the last few years, containers have become popular for software distribution and deployment, representing the innovation that software deployment desperately needed in a space where runtime environments are so fragmented. However, like any other disruption, this comes with its own challenges regarding software provenance – who added what to a container at what stage.