in-toto / witness
Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
AI Architecture Analysis
This repository is indexed by RepoMind. By analyzing in-toto/witness in our AI interface, you can instantly generate complete architecture diagrams, visualize control flows, and perform automated security audits across the entire codebase.
Our Agentic Context Augmented Generation (Agentic CAG) engine loads full source files into context on-demand, avoiding the fragmentation of traditional RAG systems. Ask questions about the architecture, dependencies, or specific features to see it in action.
Embed this Badge
Showcase RepoMind's analysis directly in your repository's README.
Repository Overview (README excerpt)
Crawler viewWitness Witness originated at **TestifySec** and was later donated to the CNCF in-toto ecosystem. It is now maintained by the open community. **DOCS • CONTRIBUTING • LICENSE** What does Witness do? ✏️ **Attests** - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification. **🧐 Verifies** - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment. What can you do with Witness? • Verify how your software was produced and what tools were used • Ensure that each step of the supply chain was completed by authorized users and machines • Detect potential tampering or malicious activity • Distribute attestations and policy across air gaps Key Features • Integrations with GitLab, GitHub, AWS, and GCP. • Designed to run in both containerized and non-containerized environments **without** elevated privileges. • Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7) • An embedded OPA Rego policy engine for policy enforcement • Keyless signing with Sigstore and SPIFFE/SPIRE • Integration with RFC3161 compatible timestamp authorities • Process tracing and process tampering prevention (Experimental) • Attestation storage with Archivista Demo ![Demo][demo] Quick Start Installation To install Witness, all you will need is the Witness binary. You can download this from the releases page or use the install script to download the latest release: If you want install it manually and verify its integrity follow the instructions in the INSTALL.md. Tutorials Check out our Tutorials: • Getting Started • Verify an Artifact Policy • Using Fulcio as a Key Provider Media Check out some of the content out in the wild that gives more detail on how the project can be used. Blog/Video - Generating and Verifying Attestations With Witness Blog - What is a supply chain attestation, and why do I need it? Talk - Securing the Software Supply Chain with the in-toto & SPIRE projects Talk - Securing the Software Supply Chain with SBOM and Attestation Get Involved with the Community! Join the CNCF Slack and join the channel. You might also be interested in joining the channel for more general in-toto discussion, as well as the channel for discussion regarding the Archivista project. Community & Commercial Support • **Community channels** – Slack, GitHub Issues, and bi-weekly office hours are free and open to all contributors. • **Commercial platform & SLAs** – TestifySec offers managed Witness/Archivista hosting, and 24 × 7 support. (These commercial services are provided by TestifySec and are not part of the CNCF sponsorship of Witness.) [demo]: https://raw.githubusercontent.com/in-toto/witness/main/docs/assets/demo.gif "Demo"