Tag
in-toto
Safeguard articles tagged "in-toto" — guides, analysis, and best practices for software supply chain and application security.
15 articles
SBOM & Compliance
Witness Attestation Collection Workflow
Witness turns build steps into a chain of signed attestations. Here is how we use it in production pipelines, what it does well, and where the edges still cut.
Sep 22, 20247 min read
SBOM & Compliance
in-toto Attestation Formats Reviewed
The in-toto attestation framework is the plumbing under SLSA, Sigstore, and most supply chain tooling. Here is a practical review of the v1 formats and their edges.
Jun 28, 20246 min read
Concepts
What is a Software Attestation
A software attestation is a signed, machine-readable claim about an artifact — who built it, what it contains, which checks it passed — that a machine can verify before trusting it.
Mar 10, 20246 min read