Skip to content

testifysec/community

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 

Repository files navigation

Witness & Archivista Community

We believe everyone deserves secure software. This is best accomplished through open source software and a free sharing of information, best practices, and technology. Witness and Archivista are just some of our contributions to accomplish this mission.

Projects Overview

Project Summary
witness Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.
archivista Archivist is a graph and storage service for in-toto attestations. Archivist enables the discovery and retrieval of attestations for software artifacts.
go-witness A Go library implementation of Witness.
witness-run-action A GitHub Action that allows you to create an attestation for your CI process using the Witness tool. It supports optional integrations with Sigstore for signing and Archivista for attestation storage and distibution.
witness-examples A set of examples that show how to use and the potential of Witness.
policy-tool The Witness Policy Tool is a command-line utility designed to ease the creation and validation of Witness policies.
charts Helm Charts for deploying Archivista.
archivista-data-provider An integration of OPA Gatekeeper's ExternalData feature with Witness to validate image admission by verifying them against a Witness policy.

Community Meetings

Resource Details
Calendar Monthly Witness & Archivista Community Call (3rd Friday of Every Month) - see public Google Calendar
Notes View our notes from community meetings
YouTube View our recordings of community meetings
Forum See GitHub Discussions
Twitter @witness_dev

Related Communities

Project Summary
in-toto A framework to protect software supply chain integrity.
TUF A framework for securing software update systems.
Sigstore Fulcio, Cosign and Rekor handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software
SBOMIT A SBOMit document is effectively an SBOM, generated with additional verification information to validate supply chain security.
CNCF TAG Security The CNCF Security Technical Advisory Group facilitates collaboration to discover and produce resources that enable secure access, policy control, supply chains, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.
wg-supply-chain-integrity OpenSSF's Supply Chain Integrity working group enables open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.

About

Witness and Archivista community information

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published