DOCS • CONTRIBUTING • LICENSE
bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
✏️ Attests - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification.
🧐 Verifies - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment.
- Verify how your software was produced and what tools were used
- Ensure that each step of the supply chain was completed by authorized users and machines
- Detect potential tampering or malicious activity
- Distribute attestations and policy across air gaps
- Integrations with GitLab, GitHub, AWS, and GCP.
- Designed to run in both containerized and non-containerized environments without elevated privileges.
- Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7)
- An embedded OPA Rego policy engine for policy enforcement
- Keyless signing with Sigstore and SPIFFE/SPIRE
- Integration with RFC3161 compatible timestamp authorities
- Process tracing and process tampering prevention (Experimental)
- Attestation storage with Archivista
To install Witness, all you will need is the Witness binary. You can download this from the [releases] (https://github.com/testifysec/witness/releases) page or use the install script to download the latest release:
bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
Check out our Tutorials:
Check out some of the content out in the wild that gives more detail on how the project can be used.
Join the CNCF Slack and join the #in-toto-witness
channel. You might also be interested in joining the #in-toto
channel for more general in-toto discussion, as well as
the #in-toto-archivista
channel for discussion regarding the Archivista project.
This project was created by TestifySec before being donated to the in-toto project. The project is maintained by the TestifySec Open Source team and a community of contributors.