Witness

<img src="https://raw.githubusercontent.com/in-toto/witness/main/docs/assets/logo.png" align="right" alt="Witness project logo" width="200">

What does Witness do?

✏️ Attests - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification.

🧐 Verifies - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment.

What can you do with Witness?

• Verify how your software was produced and what tools were used
• Ensure that each step of the supply chain was completed by authorized users and machines
• Detect potential tampering or malicious activity
• Distribute attestations and policy across air gaps

Key Features

• Integrations with GitLab, GitHub, AWS, and GCP.
• Designed to run in both containerized and non-containerized environments without elevated privileges.
• Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7)
• An embedded OPA Rego policy engine for policy enforcement
• Keyless signing with Sigstore and SPIFFE/SPIRE
• Integration with RFC3161 compatible timestamp authorities
• Process tracing and process tampering prevention (Experimental)
  • Attestation storage with Archivista

Demo

Quick Start

Installation

To install Witness, all you will need is the Witness binary. You can download this from the [releases] (https://github.com/testifysec/witness/releases) page or use the install script to download the latest release:

bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)

Tutorials

Check out our Tutorials:

• Getting Started
• Verify an Artifact Policy
• Using Fulcio as a Key Provider

Media

Check out some of the content out in the wild that gives more detail on how the project can be used.

Blog/Video - Generating and Verifying Attestations With Witness

Blog - What is a supply chain attestation, and why do I need it?

Talk - Securing the Software Supply Chain with the in-toto & SPIRE projects

Talk - Securing the Software Supply Chain with SBOM and Attestation

Get Involved with the Community!

Join the CNCF Slack and join the #in-toto-witness channel. You might also be interested in joining the #in-toto channel for more general in-toto discussion, as well as the #in-toto-archivista channel for discussion regarding the Archivista project.

Background

This project was created by TestifySec before being donated to the in-toto project. The project is maintained by the TestifySec Open Source team and a community of contributors.