We believe everyone deserves secure software. This is best accomplished through open source software and a free sharing of information, best practices, and technology. Witness and Archivista are just some of our contributions to accomplish this mission.
| Project | Summary |
|---|---|
| witness | Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance. |
| archivista | Archivist is a graph and storage service for in-toto attestations. Archivist enables the discovery and retrieval of attestations for software artifacts. |
| go-witness | A Go library implementation of Witness. |
| witness-run-action | A GitHub Action that allows you to create an attestation for your CI process using the Witness tool. It supports optional integrations with Sigstore for signing and Archivista for attestation storage and distibution. |
| witness-examples | A set of examples that show how to use and the potential of Witness. |
| policy-tool | The Witness Policy Tool is a command-line utility designed to ease the creation and validation of Witness policies. |
| charts | Helm Charts for deploying Archivista. |
| archivista-data-provider | An integration of OPA Gatekeeper's ExternalData feature with Witness to validate image admission by verifying them against a Witness policy. |
| Resource | Details |
|---|---|
| Calendar | Monthly Witness & Archivista Community Call (3rd Friday of Every Month) - see public Google Calendar |
| Notes | View our notes from community meetings |
| YouTube | View our recordings of community meetings |
| Forum | See GitHub Discussions |
@witness_dev |
| Project | Summary |
|---|---|
| in-toto | A framework to protect software supply chain integrity. |
| TUF | A framework for securing software update systems. |
| Sigstore | Fulcio, Cosign and Rekor handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software |
| SBOMIT | A SBOMit document is effectively an SBOM, generated with additional verification information to validate supply chain security. |
| CNCF TAG Security | The CNCF Security Technical Advisory Group facilitates collaboration to discover and produce resources that enable secure access, policy control, supply chains, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem. |
| wg-supply-chain-integrity | OpenSSF's Supply Chain Integrity working group enables open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use. |