Package: wnpp
Severity: wishlist
Owner: Simon Josefsson <simon@josefsson.org>
* Package name : witness
Version : 0.7.0-1
Upstream Author : in-toto
* URL : https://witness.dev/
https://github.com/in-toto/witness
* License : Apache-2.0
Programming Lang: Go
Description : pluggable framework for software supply chain risk management
What does Witness do?
.
✏️ **Attests** - Witness is a dynamic CLI tool that integrates into
pipelines and infrastructure to create an audit trail for your
software's entire journey through the software development lifecycle
(SDLC) using the in-toto specification.
.
**🧐 Verifies** - Witness also features its own policy engine with
embedded support for OPA Rego, so you can ensure that your software was
handled safely from source to deployment.
.
What can you do with Witness?
.
* Verify how your software was produced and what tools were used
* Ensure that each step of the supply chain was completed by authorized
users and machines
* Detect potential tampering or malicious activity
* Distribute attestations and policy across air gaps
.
Key Features
.
* Integrations with GitLab, GitHub, AWS, and GCP.
* Designed to run in both containerized and non-containerized
environments **without** elevated privileges.
* Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7)
* An embedded OPA Rego policy engine for policy enforcement
* Keyless signing with Sigstore and SPIFFE/SPIRE
* Integration with RFC3161 compatible timestamp authorities
* Process tracing and process tampering prevention (Experimental)
* Attestation storage with Archivista (https://github.com/in-
toto/archivista)
https://salsa.debian.org/go-team/packages/witness
https://salsa.debian.org/jas/witness/-/pipelines
/Simon
Attachment:
signature.asc
Description: PGP signature