implementing-supply-chain-security-with-in-toto

Featured

Implement software supply chain integrity verification for container builds using the in-toto framework to create cryptographically signed attestations across CI/CD pipeline steps.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing Supply Chain Security with in-toto ## Overview in-toto is a CNCF graduated project that ensures the integrity of software supply chains from initiation to end-user installation. It creates a verifiable record of the entire software development lifecycle by generating cryptographically signed attestations (called "link metadata") at each step, proving what happened, who performed it, and what artifacts were produced. For container environments, in-toto verifies that images deployed to Kubernetes followed approved build processes and have not been tampered with. ## When to Use - When deploying or configuring implementing supply chain security with in toto capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Python 3.8+ or Go runtime for in-toto client libraries - GPG or Ed25519 keys for signing attestations - Container build pipeline (Docker, Buildah, or Kaniko) - Container registry (Docker Hub, ECR, GCR, or Harbor) - Kubernetes cluster for deployment verification ## Core Concepts ### Supply Chain Layout The layout is the central policy document that defines: - **Steps**: Ordered operations in the supply chain (clone, build, test, package, push) - **Functionaries**: Authorized entities (people or CI systems) that perform each step - **Inspection...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Kubernetes · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

implementing-image-provenance-verification-with-cosign

Sign and verify container image provenance using Sigstore Cosign with keyless OIDC-based signing, attestations, and Kubernetes admission enforcement.

12,642 Updated today
mukul975
AI & Automation Listed

supply-chain

Software supply-chain defense — SBOM generation (CycloneDX/SPDX), SLSA build provenance, artifact signing with sigstore/cosign, dependency-confusion and typosquat defense, and consumer-side verification of what you pull in.

4 Updated 1 weeks ago
roodlicht
AI & Automation Featured

implementing-sigstore-for-software-signing

Implements Sigstore-based software signing and verification using Cosign keyless signing, Rekor transparency log verification, and Fulcio certificate authority integration to establish cryptographic provenance for container images, binaries, and software artifacts. The practitioner configures OIDC-based identity binding, verifies signing events against the Rekor transparency log, and integrates signing workflows into CI/CD pipelines. Activates for requests involving software supply chain signing, keyless container signing, Sigstore deployment, or artifact provenance verification.

12,642 Updated today
mukul975
AI & Automation Solid

sbom-supply-chain

Generate, attach, and verify SBOMs (CycloneDX/SPDX) for container images; implement SLSA provenance; harden software supply chain.

14 Updated 3 days ago
sawrus
AI & Automation Featured

building-ioc-enrichment-pipeline-with-opencti

OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using O

12,642 Updated today
mukul975