GUAC aggregates software security metadata into a high fidelity graph database.

SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more

A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.

Enabling Software Supply Chain Security Capabilities in ArgoCD

in-toto is a framework to secure the software supply chain.

Github Action implementation of SLSA Provenance Generation

Go implementation for CNAB content trust verification using TUF, Notary, and in-toto

Kettle builds and verifies attested builds, packages that include cryptographically signed SLSA provenance.

Pipeline for patching CVEs in container images 💉📦

Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts

Free DSSE Attestation Online Decoder Tool

Library to create, verify, and evaluate policy for attestations on container images

AI Integrity Receipts — generate, verify, and attest cryptographic receipts for commits with declared AI involvement. Release verification with SLSA-compatible VSA. Zero dependencies. Apache 2.0.

Programmatically running in-toto verifications in a container

A wrapper for running in-toto commands and using dbom repositories as the storage medium for the in-toto attestations

[WIP] Python reference implementation for the CNAB security specification, with TUF, and in-toto

A paper on supply chain security in software development for Uni.

Learning-first docs site for software supply chain security, covering aflock, witness, go-witness, rookery, in-toto ITEs, Sigstore, SPIFFE/SPIRE, Kubernetes, CI/CD pipelines, and local labs.

This is just a experimental project to investigate things related to secure supply chain security.

Cryptographic attestation standard for security deliverables produced by autonomous LLM agents — RFC 6962 Merkle tree + in-toto ITE-6 envelope + OpenTimestamps + Rekor