Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.

A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.

Enabling Software Supply Chain Security Capabilities in ArgoCD

in-toto is a framework to secure the software supply chain.

Github Action implementation of SLSA Provenance Generation

Go implementation for CNAB content trust verification using TUF, Notary, and in-toto

Pipeline for patching CVEs in container images 💉📦

Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts

Library to create, verify, and evaluate policy for attestations on container images

Programmatically running in-toto verifications in a container

A wrapper for running in-toto commands and using dbom repositories as the storage medium for the in-toto attestations

A paper on supply chain security in software development for Uni.

This is just a experimental project to investigate things related to secure supply chain security.

[WIP] Python reference implementation for the CNAB security specification, with TUF, and in-toto

Jenkins Shared Library

an experimental rust implementation of in-toto verifylib