in-toto / community

in-toto is a framework to secure the software supply chain.
https://in-toto.io/
69 stars 10 forks source link
cncf in-toto software-supply-chain software-supply-chain-security

in-toto Logo

in-toto provides a framework to protect the integrity of the software supply chain. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.

Specification

Primarily, in-toto is a specification. This specification has been implemented in multiple languages. The specification can be extended or changed by proposing in-toto Enhancements. Several have been proposed and accepted and the full ITE process is documented as ITE-1.

Newcomers to the in-toto project are encouraged to familiarize themselves with the specification and to see it in action with the in-toto demo.

Attestations

The in-toto attestation framework is a stand-alone specification that defines the attestation format. An in-toto attestation is a piece of authenticated metadata that captures information about a set of software artifacts. The attestation framework was introduced in ITE-6.

Implementations

The in-toto maintainers oversee the development of four implementations of the specification. They are in varying states of conformance with the in-toto specification and the attestation framework.

in-toto-python (Reference Implementation)

This implementation was the first one and has reached the v1.0 milestone. As such, it makes stability guarantees and is actively used in production by some in-toto adopters.

Links:

in-toto-golang

This implementation is used for various cloud native integrations. It sees very active development as it's the testbed for experimental features and changes introduced as ITEs.

Links:

in-toto-java

The Java implementation was originally written to support integrations with the Jenkins CI/CD system. It implements some of the in-toto specification and also includes support for some attestation types.

Links:

in-toto-rs

in-toto-rs implements the in-toto specification in Rust. It is used in integrations with the Reproducible Builds project such as with rebuilderd.

Links:

Adopters and other repositories of note

in-toto is integrated into several other ecosystems and complementary software supply chain security efforts. An inexhaustive list of integrations and adoptions is maintained in the in-toto/friends repository.

The project maintains several integrations and resources pertaining to in-toto such as:

Contributions are welcome to these projects and any other repository in the in-toto GitHub organization.