forked from in-toto/witness
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
updated docs further - tutorial not working
- Loading branch information
1 parent
f99ec95
commit fe853af
Showing
6 changed files
with
535 additions
and
212 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # Witness [](https://pkg.go.dev/github.com/in-toto/witness) [](https://goreportcard.com/report/github.com/in-toto/witness) [](https://www.bestpractices.dev/projects/8164) [](https://securityscorecards.dev/viewer/?uri=github.com/in-toto/witness) | ||
|
|
||
| <center> | ||
|
|
||
| **[DOCS](https://witness.dev) • | ||
| [CONTRIBUTING](./CONTRIBUTORS.md) • | ||
| [LICENSE](./LICENSE)** | ||
| <span style="font-size:0.9em;"> **Get Started Now 👇** </span><br> | ||
| <span style="font-size:0.85em;">`bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)`</span><br><br> | ||
| </center> | ||
|
|
||
| <img src="https://github.com/in-toto/witness/raw/main/docs/assets/logo.png" align="right" | ||
| alt="Witness project logo" width="150"> | ||
|
|
||
| ### What does Witness do?<br> | ||
| ✏️ **Attests** - <span style="font-size:0.9em;">Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an | ||
| audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification.</span><br> | ||
|
|
||
| **🧐 Verifies** - <span style="font-size:0.9em;">Witness also features its own policy engine with embedded support for OPA Rego, so you can | ||
| ensure that your software was handled safely from source to deployment.</span> | ||
|
|
||
| ### What can you do with Witness? | ||
| - Verify how your software was produced and what tools were used | ||
| - Ensure that each step of the supply chain was completed by authorized users and machines | ||
| - Detect potential tampering or malicious activity | ||
| - Distribute attestations and policy across air gaps | ||
|
|
||
| ### Key Features | ||
| - Integrations with GitLab, GitHub, AWS, and GCP. | ||
| - Designed to run in both containerized and non-containerized environments **without** elevated privileges. | ||
| - Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7) | ||
| - An embedded OPA Rego policy engine for policy enforcement | ||
| - Keyless signing with Sigstore and SPIFFE/SPIRE | ||
| - Integration with RFC3161 compatible timestamp authorities | ||
| - Process tracing and process tampering prevention (Experimental) | ||
| - Attestation storage with [Archivista](https://github.com/in-toto/archivista) | ||
|
|
||
| ### Demo | ||
| ![Demo][demo] | ||
|
|
||
| ## Quick Start | ||
|
|
||
| ### Installation | ||
| To install Witness, all you will need is the Witness binary. You can download this from the [releases] | ||
| (https://github.com/testifysec/witness/releases) page or use the install script to download the | ||
| latest release: | ||
| ``` | ||
| bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh) | ||
| ``` | ||
|
|
||
| ### Tutorials | ||
| Check out our Tutorials: | ||
|
|
||
| - [Getting Started](tutorials/getting-started.md) | ||
| - [Verify an Artifact Policy](tutorials/artifact-policy.md) | ||
| - [Using Fulcio as a Key Provider](tutorials/artifact-policy.md) | ||
|
|
||
| ## Media | ||
| Check out some of the content out in the wild that gives more detail on how the project can be used. | ||
|
|
||
| ##### [Blog/Video - Generating and Verifying Attestations With Witness](https://www.testifysec.com/blog/attestations-with-witness/) | ||
| ##### [Blog - What is a supply chain attestation, and why do I need it?](https://www.testifysec.com/blog/what-is-a-supply-chain-attestation/) | ||
| ##### [Talk - Securing the Software Supply Chain with the in-toto & SPIRE projects](https://www.youtube.com/watch?v=4lFbdkB62QI) | ||
| ##### [Talk - Securing the Software Supply Chain with SBOM and Attestation](https://www.youtube.com/watch?v=wX6aTZfpJv0) | ||
|
|
||
| ## Get Involved with the Community! | ||
| Join the [CNCF Slack](https://slack.cncf.io/) and join the `#in-toto-witness` channel. You might also be interested in joining the `#in-toto` channel for more general in-toto discussion, as well as | ||
| the `#in-toto-archivista` channel for discussion regarding the [Archivista](https://github.com/in-toto/archivista) project. | ||
|
|
||
| [demo]: docs/assets/demo.gif "Demo" | ||
|
|
||
| ## Background | ||
| This project was created by [TestifySec](https://www.testifysec.com/) before being donated to the in-toto project. The project is maintained by the TestifySec Open Source team and a community of contributors. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # How Witness Works | ||
|
|
||
| ### Signing | ||
| Witness is able to observe your software development life-cycle (SDLC) by wrapping around commands executed within them. By passing any command to Witness as an argument, the tool is able to understand what was executed but also on what infrastructure, by what user or service account and more. The information that Witness gathers while the command is running is down to which [Attestors](docs/attestor.md) are used. Attestors are implementations of an interface that find and assert facts about the system Witness is running on (e.g., [AWS Attestor](docs/attestors/aws-iid.md)). Finally, Witness can compile this information into an [in-toto attestation](https://github.com/in-toto/attestation), place it in a [DSSE Envelope](https://github.com/secure-systems-lab/dsse) and sign that envelope with the key that was supplied by the user. | ||
|
|
||
| ### Storing | ||
| For storage, the Witness project can upload signed attestations to an [Archivista](https://github.com/in-toto/archivista) server, a graph and storage service for in-toto attestations. This enables the discovery and retrieval of attestations for verification of software artifacts. | ||
|
|
||
| ### Verifying | ||
| Witness allows users to verify the attestations that they generate by providing the `witness verify` command. To achieve this, Witness uses a [policy file](./docs/policy.md) defined by the user to check for presence of the expected attestations and that they were signed by the appropriate functionaries (Public keys or roots of trust that are trusted to sign certain types of attestation). To verify the attestation body itself, Witness supports defining [OPA Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) policies inside the policy file. This allows users to ensure the facts asserted by the Attestors are reported expected. | ||
|
|
Oops, something went wrong.