The CNCF Technical Oversight Committee (TOC) has voted to accept in-toto as a CNCF incubating project. in-toto is a framework that enables libraries to collect information about software supply chain actions, allowing software consumers and project managers to publish policies about software supply chain practices that can be verified before deploying or installing software. in-toto was the first project to go through the security assessment by CNCF’s TAG Security.
Created in 2015 by Secure Systems Lab of New York University’s Tandon School of Engineering, the project aims to tackle software supply chain security, one of the biggest challenges facing the software ecosystem today. in-toto provides secure and trustworthy ways to represent and attest all the operations within the cloud native pipeline.
in-toto joined the CNCF Sandbox, an entry point for early stage projects in 2019. Since then, in-toto has attracted more than 132 Contributors from 16 plus different organizations. The project now has 8 maintainers and approvers from 5 organizations.
in-toto has been adopted in production by a number of organizations including Datadog, Google Grafeas, Kubesec.io, rebuilderd, SolarWinds, Sigstore’s Cosign. The project has also been integrated into security applications like Reproducible BUilds and Sigstore. Sigstore uses in-toto as an underlying technology to attest to various supply chain actions. It is the second most used mechanism on sigstore. Datadog uses in-toto to secure their pipelines. rebuilderd produces in-toto attestations to allow for cryptographically-verifiable build-reproducibility checks.
in-toto‘s roadmap for the coming year includes adding new features, such as support for expressive type tracking during evidence collection, better native support for SLSA attestation handling, and a simpler policy language, as well as a collection of “best supply chain practices” policies to ease adoption for projects looking to secure their supply chains.