in-toto provides a framework to protect the integrity of the software supply chain. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.
Primarily, in-toto is a specification. This specification has been implemented in multiple languages. The specification can be extended or changed by proposing in-toto Enhancements. Several have been proposed and accepted and the full ITE process is documented as ITE-1.
Newcomers to the in-toto project are encouraged to familiarize themselves with the specification and to see it in action with the in-toto demo.
The in-toto attestation framework is a stand-alone specification that defines the attestation format. An in-toto attestation is a piece of authenticated metadata that captures information about a set of software artifacts. The attestation framework was introduced in ITE-6.
Attestation-verifier is a prototype of verification capabilities introduced in in-toto enhancements 10 and 11.
The in-toto maintainers oversee the development of four implementations of the specification. They are in varying states of conformance with the in-toto specification and the attestation framework.
This implementation was the first one and has reached the v1.0 milestone. As such, it makes stability guarantees and is actively used in production by some in-toto adopters.
Links:
This implementation is used for various cloud native integrations. It sees very active development as it's the testbed for experimental features and changes introduced as ITEs.
Links:
The Java implementation was originally written to support integrations with the Jenkins CI/CD system. It implements some of the in-toto specification and also includes support for some attestation types.
Links:
in-toto-rs implements the in-toto specification in Rust. It is used in integrations with the Reproducible Builds project such as with rebuilderd.
Links:
Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification. In addition Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment.
Links:
- GitHub Repository (cli tool)
- GitHub Repository (library)
- Good First Issues (cli tool)
- Good First Issues (library)
- Website
Archivista is a graph and storage service for in-toto attestations. Archivista enables the discovery and retrieval of attestations for software artifacts.
Links:
in-toto is integrated into several other ecosystems and complementary software supply chain security efforts. An inexhaustive list of integrations and adoptions is maintained in the in-toto/friends repository.
The project maintains several integrations and resources pertaining to in-toto such as:
- in-toto Jenkins Plugin
- in-toto Helm Charts
- Dockerfiles
- in-toto Grafeas Connector
- Debian apt in-toto transport
Contributions are welcome to these projects and any other repository in the in-toto GitHub organization.