← Back to research
·1 min read·company

in-toto

in-toto — CNCF graduated project for supply chain attestation. Framework for cryptographically verifying that each step in a software supply chain was performed as intended, by authorized parties.

https://in-toto.io
securityopen-sourcesupply-chaincncfattestation

Key takeaways

  • CNCF graduated project for supply chain attestation — cryptographically verifies each step in the supply chain was performed as intended
  • Layout files define the expected supply chain steps and authorized functionaries. Link metadata captures what actually happened. Verification checks the match
  • Foundation for SLSA provenance attestations. Used in Sigstore ecosystem. Implemented in Python, Go, Java, and Rust
  • Production use at Datadog, VMware, SolarWinds (post-breach), and Debian

FAQ

What is in-toto?

A CNCF graduated framework for supply chain attestation. Defines expected build steps and authorized parties, captures cryptographic evidence of what actually happened, and verifies the two match. Foundation for SLSA provenance.

Overview

in-toto is a CNCF graduated project that provides a framework for supply chain attestation. It cryptographically verifies that each step in a software supply chain was performed as intended, by authorized parties, producing expected outputs.

The framework uses layouts (what should happen and who should do it) and link metadata (what actually happened). Verification checks that the actual execution matches the expected layout. Foundation for SLSA provenance attestations.

Production use at Datadog, VMware, SolarWinds (post-breach), and Debian. Implementations in Python, Go, Java, and Rust.

Competitive Position

Strengths: CNCF graduated (highest maturity). Foundation for SLSA. Multi-language implementations. Production-proven at scale.

Weaknesses: Complex to set up. Requires defining supply chain layouts upfront. Framework, not a turnkey product.

Research by Ry Walker Research

Sources

Share on XShare on LinkedIn