GUAC aggregates software security metadata into a high fidelity graph database.
-
Updated
Jul 10, 2026 - Go
GUAC aggregates software security metadata into a high fidelity graph database.
SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more
A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.
Enabling Software Supply Chain Security Capabilities in ArgoCD
in-toto is a framework to secure the software supply chain.
Github Action implementation of SLSA Provenance Generation
Kettle builds and verifies attested builds, packages that include cryptographically signed SLSA provenance.
Pipeline for patching CVEs in container images 💉📦
Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts
Free DSSE Attestation Online Decoder Tool
Library to create, verify, and evaluate policy for attestations on container images
Modular attestation monorepo for cilock — 30+ attestors, 9 signers, the rookery builder for custom binaries. The source of the cilock CLI.
AI Integrity Receipts — generate, verify, and attest cryptographic receipts for commits with declared AI involvement. Release verification with SLSA-compatible VSA. Zero dependencies. Apache 2.0.
An open-source software fab: natural language in, trustworthy software out. Reproducible build + signed provenance + AI/Human attribution, on a swappable agent base and forge. Built on SLSA / in-toto / Sigstore / DID.
GitHub Actions and GitLab CI integration for cilock — wrap any command or downstream action and emit a signed in-toto attestation.
Local-first AI agent governance with verifiable, tamper-evident audit trails. Wrap any agent CLI, anchor the journal at an RFC 3161 authority, export evidence anyone can verify. Zero dependencies.
A wrapper for running in-toto commands and using dbom repositories as the storage medium for the in-toto attestations
Learning-first docs site for software supply chain security, covering aflock, witness, go-witness, rookery, in-toto ITEs, Sigstore, SPIFFE/SPIRE, Kubernetes, CI/CD pipelines, and local labs.
Add a description, image, and links to the in-toto topic page so that developers can more easily learn about it.
To associate your repository with the in-toto topic, visit your repo's landing page and select "manage topics."