Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/in-toto/community

in-toto is a framework to secure the software supply chain.
https://github.com/in-toto/community

cncf in-toto software-supply-chain software-supply-chain-security

Last synced: 18 days ago
JSON representation

in-toto is a framework to secure the software supply chain.

Awesome Lists containing this project

README 

        
![in-toto Logo](images/in-toto-logo.png "in-toto Logo")



in-toto provides a framework to protect the integrity of the software supply

chain. It does so by verifying that each task in the chain is carried out as

planned, by authorized personnel only, and that the product is not tampered with

in transit.



## Specification



Primarily, in-toto is a [specification](https://github.com/in-toto/docs). This

specification has been implemented in multiple languages. The specification can

be extended or changed by proposing

[in-toto Enhancements](https://github.com/in-toto/ite). Several have been

proposed and accepted and the full ITE process is documented as

[ITE-1](https://github.com/in-toto/ITE/blob/master/ITE/1/README.adoc).



Newcomers to the in-toto project are encouraged to familiarize themselves with

the specification and to see it in action with the in-toto

[demo](https://github.com/in-toto/demo).



## Attestations



The [in-toto attestation framework](https://github.com/in-toto/attestation) is a

stand-alone specification that defines the attestation format. An in-toto

attestation is a piece of authenticated metadata that captures information about

a set of software artifacts. The attestation framework was introduced in ITE-6.



### attestation-verifier



Attestation-verifier is a prototype of verification capabilities introduced in

in-toto enhancements 10 and 11. 



* [GitHub Repository](https://github.com/in-toto/attestation-verifier)



## Implementations



The in-toto maintainers oversee the development of four implementations of the

specification. They are in varying states of conformance with the

[in-toto specification](#specification) and the

[attestation framework](#attestations).



### in-toto-python (Reference Implementation)



This implementation was the first one and has reached the v1.0 milestone. As

such, it makes stability guarantees and is actively used in production by some

in-toto adopters.



Links:

* [GitHub Repository](https://github.com/in-toto/in-toto)

* [Good First Issues](https://github.com/in-toto/in-toto/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)



### in-toto-golang



This implementation is used for various cloud native integrations. It sees very

active development as it's the testbed for experimental features and changes

introduced as ITEs.



Links:

* [GitHub Repository](https://github.com/in-toto/in-toto-golang)

* [Good First Issues](https://github.com/in-toto/in-toto-golang/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)



### in-toto-java



The Java implementation was originally written to support integrations with the

Jenkins CI/CD system. It implements some of the in-toto specification and also

includes support for some attestation types.



Links:

* [GitHub Repository](https://github.com/in-toto/in-toto-java)

* [Good First Issues](https://github.com/in-toto/in-toto-java/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)



### in-toto-rs



in-toto-rs implements the in-toto specification in Rust. It is used in

integrations with the

[Reproducible Builds project](https://reproducible-builds.org) such as with

[rebuilderd](https://github.com/kpcyrd/rebuilderd).



Links:

* [GitHub Repository](https://github.com/in-toto/in-toto-rs)

* [Good First Issues](https://github.com/in-toto/in-toto-rs/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)



## User & Client Libraries and Tools 



### Witness



Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification. In addition Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment.



Links:

* [GitHub Repository (cli tool)](https://github.com/in-toto/witness)

* [GitHub Repository (library)](https://github.com/in-toto/go-witness)

* [Good First Issues (cli tool)](https://github.com/in-toto/witness/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)

* [Good First Issues (library)](https://github.com/in-toto/go-witness/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)

* [Website](https://witness.dev)



### Archivista 



Archivista is a graph and storage service for in-toto attestations. Archivista enables the discovery and retrieval of attestations for software artifacts.



Links:

* [GitHub Repository](https://github.com/in-toto/archivista)

* [Good First Issues](https://github.com/in-toto/archivista/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)



## Adopters and other repositories of note



in-toto is integrated into several other ecosystems and complementary software

supply chain security efforts. An inexhaustive list of integrations and

adoptions is maintained in the

[in-toto/friends](https://github.com/in-toto/friends) repository.



The project maintains several integrations and resources pertaining to in-toto

such as:

* [in-toto Jenkins Plugin](https://github.com/jenkinsci/in-toto-plugin/)

* [in-toto Helm Charts](https://github.com/in-toto/helm-charts/)

* [Dockerfiles](https://github.com/in-toto/Dockerfiles)

* [in-toto Grafeas Connector](https://github.com/in-toto/totoify-grafeas)

* [Debian apt in-toto transport](https://github.com/in-toto/apt-transport-in-toto)



Contributions are welcome to these projects and any other repository in the

[in-toto GitHub organization](https://github.com/in-toto).