{"id":28645698,"url":"https://github.com/engineerd/in-toto-container","last_synced_at":"2025-09-15T07:32:41.693Z","repository":{"id":38329280,"uuid":"202772919","full_name":"engineerd/in-toto-container","owner":"engineerd","description":"Programmatically running in-toto verifications in a container","archived":false,"fork":false,"pushed_at":"2022-12-07T23:37:19.000Z","size":6219,"stargazers_count":4,"open_issues_count":6,"forks_count":1,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-08-28T18:06:59.229Z","etag":null,"topics":["in-toto"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/engineerd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-08-16T17:37:24.000Z","updated_at":"2024-04-30T01:32:42.000Z","dependencies_parsed_at":"2023-01-24T07:45:12.923Z","dependency_job_id":null,"html_url":"https://github.com/engineerd/in-toto-container","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/engineerd/in-toto-container","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/engineerd%2Fin-toto-container","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/engineerd%2Fin-toto-container/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/engineerd%2Fin-toto-container/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/engineerd%2Fin-toto-container/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/engineerd","download_url":"https://codeload.github.com/engineerd/in-toto-container/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/engineerd%2Fin-toto-container/sbom","scorecard":{"id":377286,"data":{"date":"2025-08-11","repo":{"name":"github.com/engineerd/in-toto-container","commit":"288a901d423490562f09f927bef7e68b8bb1fcbb"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.5,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/7 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/engineerd/in-toto-container/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/engineerd/in-toto-container/ci.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"67 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0784 / GHSA-36xw-fx78-c5r4","Warn: Project is vulnerable to: GHSA-6g2q-w5j3-fwh4","Warn: Project is vulnerable to: GO-2022-0921 / GHSA-c72p-9xmj-rx3w","Warn: Project is vulnerable to: GO-2022-0938 / GHSA-c2h3-6mxw-7mvq","Warn: Project is vulnerable to: GO-2022-0360 / GHSA-5j5w-g665-5m35","Warn: Project is vulnerable to: GO-2022-0344 / GHSA-crp2-qrr5-8pq7","Warn: Project is vulnerable to: GO-2024-2846 / GHSA-c9cp-9c75-9v8c","Warn: Project is vulnerable to: GO-2022-0482 / GHSA-5ffw-gxpp-mxpf","Warn: Project is vulnerable to: GO-2022-1147 / GHSA-2qjp-425j-52j9","Warn: Project is vulnerable to: GO-2023-1573 / GHSA-259w-8hf6-59c2","Warn: Project is vulnerable to: GO-2023-1574 / GHSA-hmfx-3pcx-653p","Warn: Project is vulnerable to: GO-2023-2412 / GHSA-7ww5-4wqc-m92c","Warn: Project is vulnerable to: GO-2025-3528 / GHSA-265r-hfxg-fhmg","Warn: Project is vulnerable to: GO-2024-2912 / GHSA-99pg-grm5-qq3v","Warn: Project is vulnerable to: GO-2022-0379 / GHSA-qq97-vm5h-rrhg","Warn: Project is vulnerable to: GHSA-hqxw-f8mx-cpmw","Warn: Project is vulnerable to: GO-2021-0053 / GHSA-c3h9-896r-86jm","Warn: Project is vulnerable to: GHSA-6hwg-w5jg-9c6x","Warn: Project is vulnerable to: GHSA-6fj5-m822-rqx8","Warn: Project is vulnerable to: GHSA-7452-xqpj-6rpc","Warn: Project is vulnerable to: GO-2024-2521","Warn: Project is vulnerable to: GO-2024-2500 / GHSA-3fwx-pjgw-3558","Warn: Project is vulnerable to: GO-2024-2913","Warn: Project is vulnerable to: GO-2024-2914 / GHSA-xmmx-7jpf-fx42","Warn: Project is vulnerable to: GO-2022-0390 / GHSA-2mm7-x5h6-5pvq","Warn: Project is vulnerable to: GO-2024-2512 / GHSA-xw73-rw38-6vjc","Warn: Project is vulnerable to: GO-2024-3305 / GHSA-gh5c-3h97-2f3q","Warn: Project is vulnerable to: GO-2024-3304 / GHSA-2mj3-vfvx-fc43","Warn: Project is vulnerable to: GHSA-77vh-xpmg-72qh","Warn: Project is vulnerable to: GO-2022-0835 / GHSA-gp4j-w3vj-7299","Warn: Project is vulnerable to: GO-2021-0085 / GHSA-fgv8-vj5c-2ppq","Warn: Project is vulnerable to: GO-2021-0087 / GHSA-fh74-hm69-rqjw","Warn: Project is vulnerable to: GO-2022-0396 / GHSA-g54h-m393-cpwq","Warn: Project is vulnerable to: GO-2022-0914 / GHSA-c3xm-pvg7-gh7r","Warn: Project is vulnerable to: GHSA-v95c-p5hm-xq8f","Warn: Project is vulnerable to: GO-2022-0452 / GHSA-f3fp-gc8g-vw66","Warn: Project is vulnerable to: GO-2023-1683 / GHSA-g2j6-57v7-gm8c","Warn: Project is vulnerable to: GO-2023-1682 / GHSA-m8cg-xc2p-r3fc","Warn: Project is vulnerable to: GO-2024-3110 / GHSA-jfvp-7x6p-h2pv","Warn: Project is vulnerable to: GO-2022-0322 / GHSA-cg3q-j54f-5p7p","Warn: Project is vulnerable to: GO-2022-0229 / GHSA-cjjc-xp8v-855w","Warn: Project is vulnerable to: GO-2020-0012 / GHSA-ffhg-7mh4-33c4","Warn: Project is vulnerable to: GO-2021-0227 / GHSA-3vm4-22fp-5rfm","Warn: Project is vulnerable to: GO-2022-0968 / GHSA-gwc9-m7rh-j2ww","Warn: Project is vulnerable to: GO-2021-0356 / GHSA-8c26-wmh5-6g9v","Warn: Project is vulnerable to: GO-2024-2961","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2022-0236 / GHSA-h86h-8ppg-mxmh","Warn: Project is vulnerable to: GO-2021-0238 / GHSA-83g2-8m93-v3w7","Warn: Project is vulnerable to: GO-2022-0288","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GO-2023-2153 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8","Warn: Project is vulnerable to: GO-2020-0015 / GHSA-5rcv-m4m3-hfh7","Warn: Project is vulnerable to: GO-2021-0113 / GHSA-ppp9-7jff-5vj2","Warn: Project is vulnerable to: GO-2022-1059 / GHSA-69ch-w2m2-3vjp","Warn: Project is vulnerable to: GO-2020-0036 / GHSA-wxc4-f4m6-wwqv"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T14:33:23.958Z","repository_id":38329280,"created_at":"2025-08-18T14:33:23.958Z","updated_at":"2025-08-18T14:33:23.958Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275225286,"owners_count":25427000,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-15T02:00:09.272Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["in-toto"],"created_at":"2025-06-13T01:40:01.952Z","updated_at":"2025-09-15T07:32:41.685Z","avatar_url":"https://github.com/engineerd.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# In-Toto verifications in a container\n\n![](https://github.com/engineerd/in-toto-container/workflows/GitHub%20Actions/badge.svg)\n\nThis is a project that enables running [In-Toto][in-toto] verifications inside a Linux container.\n\n\u003e This project assumes familiarity with the [In-Toto Specification][in-toto-spec].\n\n\u003e Verification is the process by which data and metadata included in the final product is used to ensure its correctness. Verification is performed by the client by checking the supply chain layout and links for correctness, as well as by performing the inspection steps.\n\n## Why run verifications in a container?\n\nThe main reason for providing a containerized environment for In-Toto verifications is related to dependencies - at a minimum, running an In-Toto verification [requires Python, OpenSSL, git, and pip][deps]. On top of this, individual layouts might require additional dependencies in order to execute the verification (for example, the official demo needs to execute `tar` locally). Running in a container ensures the desired dependencies and their versions are available for clients running the verifications.\n\nAdditionally, using this method, verifications can be executed on any operating system\n\n## Requirements\n\nWe introduce the concept of a _verification image_ - a container image where verifications are performed. At a minimum, the image needs to satisfy the requirements for running the `in-toto-verify` binary, and the existence of the `/in-toto` directory at the root of the file system.\n\nSuch a container image can be built using the following Dockerfile:\n\n```\nFROM python:latest\n\nRUN mkdir /in-toto\nRUN pip install in-toto\n```\n\n## How does this work?\n\nThe root layout, keys, target files, and links directory are passed as arguments to this utility, they are copied inside the verification image in the `/in-toto` directory, and then the `in-toto-verify` utility is run in the container.\n\n\u003e Note that currently, the utility doesn't currently support passing all flags to `in-toto-verify`, and currently a single key is passed.\n\n```\n$ make e2e\n$ itc verify --layout testdata/intoto/demo.layout.template --layout-key testdata/intoto/alice.pub --links testdata/intoto/ --target testdata/intoto/foo.tar.gz\nvalidating layout structure and signatures...\nINFO[0000] validating layout structure and signatures..\nINFO[0000] running in-toto verifications in container based on image docker.pkg.github.com/engineerd/in-toto-container/verification:v1...\nINFO[0000] Copying file in-toto/foo.tar.gz in container for verification..\nINFO[0000] Copying file /in-toto/layout.template in container for verification..\nINFO[0000] Copying file /in-toto/key.pub in container for verification..\nINFO[0000] Copying file in-toto/package.2f89b927.link in container for verification..\nINFO[0000] Copying file in-toto/write-code.776a00e2.link in container for verification..\nINFO[0001] Loading layout...\nINFO[0001] Loading layout key(s)...\nINFO[0001] Verifying layout signatures...\nINFO[0001] Verifying layout expiration...\nINFO[0001] Reading link metadata files...\nINFO[0001] Verifying link metadata signatures...\nINFO[0001] Verifying sublayouts...\nINFO[0001] Verifying alignment of reported commands...\nINFO[0001] Verifying command alignment for 'write-code.776a00e2.link'...\nINFO[0001] Verifying command alignment for 'package.2f89b927.link'...\nINFO[0001] Verifying threshold constraints...\nINFO[0001] Skipping threshold verification for step 'write-code' with threshold '1'...\nINFO[0001] Skipping threshold verification for step 'package' with threshold '1'...\nINFO[0001] Verifying Step rules...\nINFO[0001] Verifying material rules for 'write-code'...\nINFO[0001] Verifying product rules for 'write-code'...\nINFO[0001] Verifying 'ALLOW foo.py'...\nINFO[0001] Verifying material rules for 'package'...\nINFO[0001] Verifying 'MATCH foo.py WITH PRODUCTS FROM write-code'...\nINFO[0001] Verifying 'DISALLOW *'...\nINFO[0001] Verifying product rules for 'package'...\nINFO[0001] Verifying 'ALLOW foo.tar.gz'...\nINFO[0001] Verifying 'ALLOW foo.py'...\nINFO[0001] Executing Inspection commands...\nINFO[0001] Executing command for inspection 'untar'...\nINFO[0001] Running 'untar'...\nINFO[0001] Recording materials '.'...\nINFO[0001] Running command 'tar xfz foo.tar.gz'...\nINFO[0001] Recording products '.'...\nINFO[0001] Creating link metadata...\nINFO[0001] Verifying Inspection rules...\nINFO[0001] Verifying material rules for 'untar'...\nINFO[0001] Verifying 'MATCH foo.tar.gz WITH PRODUCTS FROM package'...\nINFO[0001] Verifying 'DISALLOW foo.tar.gz'...\nINFO[0001] Verifying product rules for 'untar'...\nINFO[0001] Verifying 'MATCH foo.py WITH PRODUCTS FROM write-code'...\nINFO[0001] Verifying 'DISALLOW foo.py'...\nINFO[0001] The software product passed all verification.\n```\n\n[in-toto]: https://github.com/in-toto/in-toto\n[in-toto-spec]: https://github.com/in-toto/docs/blob/master/in-toto-spec.md\n[deps]: https://github.com/in-toto/in-toto#install-\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fengineerd%2Fin-toto-container","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fengineerd%2Fin-toto-container","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fengineerd%2Fin-toto-container/lists"}