Do you know where the software you’re running comes from?
Software supply chains are becoming more commonplace and robust. Attackers are finding more ways to infiltrate build infrastructure and tamper with builds. Witness is here to help.
Witness collects data about how software was built
Witness integrates with CI and infrastructure providers APIs to collect information about how and where software is built. This allows Witness to create verifiable attestations about the CI provider runner and underlying build infrastructure that builds your software. Policy can be created and enforced that makes sure the software you are running was built how you expected it and by the infrastructure that should have built it.
Witness wraps build processes to collect information about the process itself, including what files were opened, read, or created during your build process. Witness can detect unexpected changes to any files through your build process, ensuring that the files that were used during the build were not unexpectedly modified.
Witness is compatible with other open source projects
Witness generates attestations that are compliant with the in-toto specification. This enables Witness to use in-toto attestations generated by other tools during policy verification.
Witness can sign attestations using keys provided by the SPIFFE framework. SPIFFE ensures that keys only get provided to trusted parties and limits blast radius of leaked keys by frequent key rotation.
Witness can store attestations in Rekor, a publicly available transparency log. Using Rekor allows consumers of software to find attestations generated during the software’s build and use those attestations to verify policy.