Safeguard
Tag

in-toto

Safeguard articles tagged "in-toto" — guides, analysis, and best practices for software supply chain and application security.

15 articles

Concepts

What Is the in-toto Framework?

in-toto is a framework for cryptographically verifying that every step in a software supply chain was performed as planned by authorized parties. Here's how layouts, link metadata, and functionaries fit together.

Jul 6, 20266 min read
Concepts

What Is an Artifact Attestation?

An artifact attestation is a signed, machine-readable claim about a software artifact, bound to it by digest. Here's how the in-toto structure works and what kinds of claims it carries.

Jul 4, 20266 min read
Software Supply Chain Security

What is In-toto Attestation

In-toto attestation is a signed, verifiable record of how software was built. Here's how the format works, how it differs from an SBOM, and where it's used today.

Mar 6, 20267 min read
Software Supply Chain Security

What is Software Provenance

Software provenance proves where an artifact came from and how it was built. Learn what it is, why it matters, and how to verify it with SLSA and Sigstore.

Mar 5, 20267 min read
Software Supply Chain Security

What is an Attestation (Software Security)

Software attestations are signed, verifiable proofs of how code was built and secured — now a legal requirement for US federal software vendors since March 2024.

Mar 5, 20267 min read
Software Supply Chain Security

in-toto Attestation Framework Walkthrough 2026

A working engineer's tour of in-toto in 2026: layouts, links, the attestation predicate ecosystem, and how it composes with SLSA, sigstore, and SBOMs.

Mar 2, 20265 min read
Software Supply Chain Security

SLSA Level 3 Implementation Blueprint 2026

A practical blueprint for reaching SLSA Level 3 in 2026: hosted builders, provenance generation, verification gates, and the operational habits that hold the line.

Feb 15, 20266 min read
Container Security

OCI + CNCF Image Supply Chain: 2026 Snapshot

Where the OCI and CNCF image supply chain ecosystem actually sits in 2026, what has stabilized, what is still contested, and what to deploy now versus later.

Feb 3, 20267 min read
Buyer's Guides

Best software supply chain attestation tools

A practical, no-hype comparison of software supply chain attestation tools — in-toto, Sigstore, GUAC, GitHub, JFrog, and Chainguard — plus how to pick the right fit.

Nov 18, 20257 min read
Tools

Cosign v2.6: New Bundle Format and Trusted Root

Sigstore's Cosign v2.6 unlocks offline verification, in-toto statement signing, and trusted-root portability. We walk through the new --new-bundle-format flag end-to-end.

Oct 21, 20255 min read
Build Security

Software Attestation Frameworks Compared: SLSA, in-toto, and Sigstore

Software attestation proves that your artifacts were built the way you claim. Here is a practical comparison of SLSA, in-toto, and Sigstore for securing your build pipeline.

Sep 25, 20258 min read
Industry

in-toto Graduates from CNCF: Attestation Bundles and the v1 Layer

in-toto reached CNCF graduation in April 2025 and shipped a major attestation framework release. We walk through the bundle layer, resource descriptors, and what producers should adopt.

Jul 15, 20257 min read
in-toto — Safeguard Blog