Friends of in-toto! A place to record integrations and adoptions of the in-toto specification.

Go to file

dependabot[bot] 1d39001352 Bump requests from 2.32.3 to 2.32.4 (#82 ) Bumps [requests](https://github.com/psf/requests) from 2.32.3 to 2.32.4. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.32.3...v2.32.4) --- updated-dependencies: - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>		2025-06-17 14:43:20 -04:00
.github	Bump actions/setup-python from 5.4.0 to 5.5.0 (#71 )	2025-03-31 14:15:20 -04:00
chainguard	Add Chainguard	2025-01-09 20:16:10 -05:00
chainloop	docs: add chainloop project	2023-04-03 23:43:42 +02:00
datadog	Add datadog adoption	2022-07-08 11:10:49 -04:00
dependents-report	Bump requests from 2.32.3 to 2.32.4 (#82 )	2025-06-17 14:43:20 -04:00
edgebit	Add EdgeBit's SBOM server (#35 )	2024-12-03 21:07:28 -05:00
github	Add GitHub to in-toto friends	2024-10-17 13:54:40 -04:00
gitlab	Add link to GitLab documentation re attestations	2022-09-07 15:31:29 -04:00
grafeas	Add grafeas integration	2022-07-09 22:50:15 -04:00
guac	fix typo	2023-04-13 15:05:33 -04:00
hoppr	Fix capitalization of in-toto	2023-03-27 15:03:06 +00:00
img	docs: adding lockheed martin to list of adopters https://github.com/in-toto/friends/issues/56	2025-01-08 20:48:55 -08:00
jenkins	Add jenkins integration	2022-07-09 22:50:31 -04:00
lockheed-martin	docs: adding lockheed martin to list of adopters https://github.com/in-toto/friends/issues/56	2025-01-08 20:48:55 -08:00
openvex	OpenVEX ♥️ in-toto	2023-06-08 10:59:46 -06:00
rebuilderd	Add rebuilderd integration	2022-07-08 11:16:00 -04:00
sigstore	Add sigstore	2023-08-30 18:47:57 -04:00
slsa	Add slsa adoption	2022-07-10 21:35:42 -04:00
solarwinds	Add solarwinds adoption	2022-07-09 22:50:44 -04:00
spectrocloud	SpectroCloud ❤️ in-toto	2024-12-11 09:18:03 -07:00
tekton-chains	Add tekton chains integration	2022-07-10 21:35:57 -04:00
testifysec	Add link to TestifySec website and address other feedback	2023-09-01 12:53:19 -05:00
README.md	docs: adding lockheed martin to list of adopters https://github.com/in-toto/friends/issues/56	2025-01-08 20:48:55 -08:00

README.md

in-toto/friends

This repository is a place to record integrations (ongoing and complete) and adoptions of in-toto. This information can be useful to sharing the nuances of specific integrations or adoptions which can help newer adopters in the future.

We welcome adopters to add to the list here by creating a directory with a README file describing how they use in-toto. The directory can contain any other artifacts necessary to detail the in-toto integration.

Project Adopters

This section lists organizations or individuals who have adopted the project and are using it in their workflows or systems. These adopters contribute to the project's ecosystem and showcase its real-world usage across various domains.

Adopter Name	logo	Description
Datadog		Datadog uses in-toto to secure its agent integrations as they move through the company's CI/CD system.
Lockheed Martin		Lockheed Martin is one of the world's largest aerospace and defense companies, primarily known for manufacturing military aircraft like the F-35 Lightning II and F-22 Raptor fighter jets.
OpenVEX		OpenVEX documents are designed to be self-sustaining, but the specification is designed to benefit from the in-toto attestation format completing VEX statements with data outside of the OpenVEX predicate.
SLSA		Supply chain Levels for Software Artifacts, or SLSA, is a framework that provides a series of requirements and controls.
SolarWinds		SolarWinds is an American company that provides information technology services and software to other companies and government agencies.

Project Integrations

This section lists software systems, services, or platforms that integrate with the project to provide additional functionality, interoperability, or compatibility. These integrations enhance the project's capabilities and extend its usefulness across various ecosystems.

Integration Name	Logo	Description
GitHub		GitHub is a developer platform popular across enterprises and open source. GitHub artifact attestations supports SLSA build provenance and SBOM in-toto predicate types.
GitLab		GitLab is a popular Git server that also provides CI/CD integrations.
Grafeas		Grafeas is an open source metadata API that is used to store metadata relevant to software supply chains. Grafeas includes support for in-toto link metadata.
GUAC		GUAC has the ability to ingest and parse SLSA and other in-toto ITE6 attestations (either wrapped in DSSE or standalone).
Hoppr		Hoppr leverages the in-toto python package to generate in-toto layout files based on a hoppr transfer configuration.
Jenkins		The in-toto team maintains a plugin for Jenkins that can be used to generate in-toto metadata pertaining to a particular build or "job".
rebuilderd		Rebuilderd is a build system project part of Reproducible Builds. When the result of a rebuild is positive, i.e., the build process is found to be reproducible, rebuilderd generates an in-toto link recording this result.
Sigstore		In-toto and Sigstore are complementary in their efforts, and Sigstore integrates in-toto in a number of ways. Sigstore's keyless signing can be used to sign in-toto metadata, as demonstrated by Cosign's SLSA Provenance generation.
Tekton Chains		Tekton Chains is a component for Tekton that adds software supply chain security. Chains observes all "TaskRuns" or jobs that are executed, and generates an in-toto attestation.
TestifySec		TestifySec is a software supply chain security company that has created two open source projects that leverage in-toto. Witness and Archivista.

Credit

The friends idea was borrowed from other communities in the space like Sigstore and tektoncd.