GUAC aggregates software security metadata into a high fidelity graph database.

SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more

A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.

Enabling Software Supply Chain Security Capabilities in ArgoCD

in-toto is a framework to secure the software supply chain.

Github Action implementation of SLSA Provenance Generation

Kettle builds and verifies attested builds, packages that include cryptographically signed SLSA provenance.

Go implementation for CNAB content trust verification using TUF, Notary, and in-toto

Pipeline for patching CVEs in container images 💉📦

Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts

Free DSSE Attestation Online Decoder Tool

Turning AI-driven findings into trustworthy science

Library to create, verify, and evaluate policy for attestations on container images

Modular attestation monorepo for cilock — 30+ attestors, 9 signers, the rookery builder for custom binaries. The source of the cilock CLI.

AI Integrity Receipts — generate, verify, and attest cryptographic receipts for commits with declared AI involvement. Release verification with SLSA-compatible VSA. Zero dependencies. Apache 2.0.

GitHub Actions and GitLab CI integration for cilock — wrap any command or downstream action and emit a signed in-toto attestation.

Programmatically running in-toto verifications in a container

A wrapper for running in-toto commands and using dbom repositories as the storage medium for the in-toto attestations

[WIP] Python reference implementation for the CNAB security specification, with TUF, and in-toto

Local-first AI agent governance with verifiable, tamper-evident audit trails. Wrap any agent CLI, anchor the journal at an RFC 3161 authority, export evidence anyone can verify. Zero dependencies.