Package: wnpp Severity: wishlist Owner: Simon Josefsson <si...@josefsson.org>
* Package name : witness Version : 0.7.0-1 Upstream Author : in-toto * URL : https://witness.dev/ https://github.com/in-toto/witness * License : Apache-2.0 Programming Lang: Go Description : pluggable framework for software supply chain risk management What does Witness do? . ✏️ **Attests** - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification. . **🧐 Verifies** - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment. . What can you do with Witness? . * Verify how your software was produced and what tools were used * Ensure that each step of the supply chain was completed by authorized users and machines * Detect potential tampering or malicious activity * Distribute attestations and policy across air gaps . Key Features . * Integrations with GitLab, GitHub, AWS, and GCP. * Designed to run in both containerized and non-containerized environments **without** elevated privileges. * Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7) * An embedded OPA Rego policy engine for policy enforcement * Keyless signing with Sigstore and SPIFFE/SPIRE * Integration with RFC3161 compatible timestamp authorities * Process tracing and process tampering prevention (Experimental) * Attestation storage with Archivista (https://github.com/in- toto/archivista) https://salsa.debian.org/go-team/packages/witness https://salsa.debian.org/jas/witness/-/pipelines /Simon
signature.asc
Description: PGP signature
