README ¶
Witness is a pluggable framework for supply chain security
Witness prevents tampering of build materials and verifies the integrity of the build process from source to target. It works by wrapping commands executed in a continuous integration process. Its attestation system is pluggable and offers support out of the box for most major CI and infrastructure providers. Verification of Witness metadata and a secure PKI distribution system will mitigate against many supply chain attack vectors.
- Records secure hashes of materials, artifacts, and events occurring during the CI process
- Integrations with cloud identity services
- Keyless signing with SPIFFE/SPIRE
- Support for uploading attestation evidence to rekor server (sigstore)
- Build policy enforcement with Open Policy Agent.
Getting Started
curl -LO https://github.com/testifysec/witness/releases/download/${VERSION}/witness_${VERSION}_${ARCH}.tar.gz
tar -xzf witness_${VERSION}_${ARCH}.tar.gz
openssl genpkey -algorithm ed25519 -outform PEM -out testkey.pem
./witness run -s build -k testkey.pem -o attestation.json -- \
go build .
cat attestation.json | jq -r .payload | base64 -d | jq
Usage
- Run - Runs the provided command and records attestations about the execution.
- Sign - Signs the provided file with the provided key.
- Verify - Verifies a witness policy.
Attestors
- AWS - Attestor for AWS Instance Metadata
- GCP - Attestor for GCP Instance Idenity Service
- GitLab - Attestor for GitLab Pipelines
- GitHub - Attestor for GitHub Actions
- CommandRun - Attestor for running a command
- Artifact - Attestor for uploading artifacts
- Environment - Attestor for environment variables
- Git - Attestor for Git Repository
Support
TestifySec Provides support for witness and other CI security tools. Contact Us
Documentation ¶
There is no documentation for this package.
Click to show internal directories.
Click to hide internal directories.