OpenSec Atlas

Name: witness
Author: in-toto

witness: An Open Source Framework for Governance, Risk, and Compliance (GRC) | OpenSec Atlas

Back to Browse

Governance, Risk, and Compliance (GRC)

Framework

witness

Witness is a pluggable framework that automates, normalizes, and verifies software artifact provenance to secure the software supply chain.

Visit Website View on GitHub

About This Tool

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

Primary Use Case

Witness is used by security teams and DevOps engineers to create and verify audit trails for software throughout the entire software development lifecycle, ensuring compliance and detecting tampering. It integrates into CI/CD pipelines and infrastructure to enforce supply chain security policies and validate that software was produced and handled securely.

Key Features

Dynamic CLI tool integrating into pipelines and infrastructure to create audit trails using the in-toto specification
Embedded OPA Rego policy engine for customizable policy enforcement
Keyless signing support with Sigstore and SPIFFE/SPIRE
Integration with GitLab, GitHub, AWS, and GCP
Runs without elevated privileges in containerized and non-containerized environments
Support for RFC3161 compatible timestamp authorities
Process tracing and tampering prevention (experimental)
Attestation storage integration with Archivista

Insights & Recommendations

Witness is designed to run without elevated privileges, enhancing security in diverse environments. It supports keyless signing and integrates with multiple cloud providers, making it flexible for modern DevOps workflows. Users should leverage the embedded OPA Rego policy engine to tailor supply chain policies to their organizational requirements. Experimental features like process tampering prevention should be used with caution.

Installation

Download the Witness binary from the releases page
Or run the install script: bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
For manual installation and integrity verification, follow instructions in INSTALL.md

Usage

bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)

Installs the latest release of Witness using the official install script

Smart Usage Notes

Integrate Witness into CI/CD pipelines to automate continuous supply chain attestation and policy enforcement.Leverage the embedded OPA Rego engine to create custom policies tailored to organizational risk tolerance and compliance requirements.Use Witness's keyless signing with Sigstore and SPIFFE/SPIRE to reduce key management overhead and improve signing security.Combine Witness attestations with runtime monitoring tools to correlate build-time provenance with runtime behavior for enhanced threat detection.Employ Witness in purple team exercises to simulate supply chain attacks and validate detection and response capabilities.