intoto

In-toto is an open-source framework for end-to-end verification of software supply chains. It provides a mechanism to capture and verify the provenance of artifacts such as source code, built binaries, container images, and release packages. The goal is to ensure that every meaningful step in the supply chain is performed as intended and that evidence of that execution is tamper-evident and verifiable by downstream consumers.

Central to in-toto are the concepts of layout and link records. A layout defines the expected steps

In-toto is designed for integration with existing CI/CD pipelines and release workflows, supporting use-cases such as