Witness
DOCS • CONTRIBUTING • LICENSE
bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
What does Witness do?
✏️ Attests - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification.
🧐 Verifies - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment.
What can you do with Witness?
- Verify how your software was produced and what tools were used
- Ensure that each step of the supply chain was completed by authorized users and machines
- Detect potential tampering or malicious activity
- Distribute attestations and policy across air gaps
Key Features
- Integrations with GitLab, GitHub, AWS, and GCP.
- Designed to run in both containerized and non-containerized environments without elevated privileges.
- Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7)
- An embedded OPA Rego policy engine for policy enforcement
- Keyless signing with Sigstore and SPIFFE/SPIRE
- Integration with RFC3161 compatible timestamp authorities
- Process tracing and process tampering prevention (Experimental)
- Attestation storage with Archivista
Demo
Quick Start
Installation
To install Witness, all you will need is the Witness binary. You can download this from the [releases] (https://github.com/testifysec/witness/releases) page or use the install script to download the latest release:
bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
If you want install it manually and verify its integrity follow the instructions in the INSTALL.md.
Tutorials
Check out our Tutorials:
Media
Check out some of the content out in the wild that gives more detail on how the project can be used.
Blog/Video - Generating and Verifying Attestations With Witness
Blog - What is a supply chain attestation, and why do I need it?
Talk - Securing the Software Supply Chain with the in-toto & SPIRE projects
Talk - Securing the Software Supply Chain with SBOM and Attestation
Get Involved with the Community!
Join the CNCF Slack and join the #in-toto-witness
channel. You might also be interested in joining the #in-toto
channel for more general in-toto discussion, as well as
the #in-toto-archivista
channel for discussion regarding the Archivista project.
Background
This project was created by TestifySec before being donated to the in-toto project. The project is maintained by the TestifySec Open Source team and a community of contributors.