Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
DOCS • CONTRIBUTING • LICENSE
bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
✏️ Attests - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification.
🧐 Verifies - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment.
To install Witness, all you will need is the Witness binary. You can download this from the [releases] (https://github.com/testifysec/witness/releases) page or use the install script to download the latest release:
bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
Check out our Tutorials:
Check out some of the content out in the wild that gives more detail on how the project can be used.
Join the CNCF Slack and join the #in-toto-witness
channel. You might also be interested in joining the #in-toto
channel for more general in-toto discussion, as well as
the #in-toto-archivista
channel for discussion regarding the Archivista project.
This project was created by TestifySec before being donated to the in-toto project. The project is maintained by the TestifySec Open Source team and a community of contributors.