Software Supply Chain Attribute Integrity (SCAI) Demos and CLI tools

attestations cli demos software-supply-chain-security

Go to file

dependabot[bot] c97ac22de7 Bump github.com/secure-systems-lab/go-securesystemslib (#143 ) Bumps [github.com/secure-systems-lab/go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib) from 0.9.0 to 0.9.1. - [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases) - [Commits](https://github.com/secure-systems-lab/go-securesystemslib/compare/v0.9.0...v0.9.1) --- updated-dependencies: - dependency-name: github.com/secure-systems-lab/go-securesystemslib dependency-version: 0.9.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>		2025-08-05 10:20:22 -07:00
.github	Bump actions/setup-go from 5.4.0 to 5.5.0 (#134 )	2025-05-14 15:33:59 -07:00
docs	Refactor SCAI generator APIs into pkg/ (#38 )	2024-04-04 17:47:51 -07:00
examples	Change to securesystemslib.hash.digest_filename API	2024-04-12 10:45:54 -07:00
fuzzing	initial commit	2023-01-23 19:40:48 -08:00
kccncna2023-demo	Final demo setup	2023-12-28 14:40:32 -08:00
layouts	Add SLSA assertion check example	2023-08-25 18:01:55 -07:00
policies	Add SLSA assertion check example	2023-08-25 18:01:55 -07:00
python	Change to securesystemslib.hash.digest_filename API	2024-04-12 10:45:54 -07:00
scai-gen	Bump SCAI predicate version to v0.3 (#81 )	2025-01-21 11:55:54 -08:00
.gitignore	Verify layout for example pdo client container build pipeline	2023-08-24 10:19:39 -07:00
.golangci.yml	Switch Go linting to golangci-lint	2023-10-25 11:29:42 -07:00
CODEOWNERS	Switch to scai-demos team in codeowners	2024-03-27 16:37:59 -07:00
LICENSE	Add license	2023-06-13 16:35:31 -07:00
Makefile	Change to securesystemslib.hash.digest_filename API	2024-04-12 10:45:54 -07:00
README.md	Add KubeConCNCNA23 demo verification flow setup	2023-12-28 14:04:04 -08:00
coverity-output.txt	initial commit	2023-01-23 19:40:48 -08:00
go.mod	Bump github.com/secure-systems-lab/go-securesystemslib (#143 )	2025-08-05 10:20:22 -07:00
go.sum	Bump github.com/secure-systems-lab/go-securesystemslib (#143 )	2025-08-05 10:20:22 -07:00
requirements.txt	Use in-toto-attestation v0.9.2	2023-08-29 16:11:28 -07:00
scail-bandit-output.txt	initial commit	2023-01-23 19:40:48 -08:00

README.md

in-toto SCAI Generator and Demos

The Software Supply Chain Attribute Integrity, or SCAI (pronounced "sky"), framework is a succinct data format specification for claims and evidence about attributes and integrity about a software artifact and its supply chain.

For more details read our intro doc or the full SCAI spec doc.

In this repo

This repo provides Go and Python implementations of CLI tools for automatically generating SCAI metadata compliant with the in-toto Attestation Framework.

A number of sample use cases for SCAI are implemented in examples/.

In addition, our Go scai-gen CLI tool supports policy checking of SCAI attestations against evidence. Example policies can be found in policies/.

The SCAI specification is hosted under the in-toto Attestation Framework as an attestation predicate.

All documentation can be found under docs/.

Usage

Read the usage doc for instructions on setup and tool invocation for Python and Go environments.

We encourage you to gain a basic understanding of the SCAI specification before using the scai-generator CLI tools in this repo.

For a full demo of how to use the Go scai-gen tools, read our [KubeCon + CloudNativeCon NA '23 doc].

Disclaimer

While the tools in this repo are conformant to the in-toto Attestation Framework, they do not generate authenticated SCAI attestations. The example use cases in this repo are only provided for illustrative purposes, and should not be used in production.