Uncovering the History of Your Software Artifacts - Mikhail Swift, TestifySec

less than 1 minute read


Discovering who, how, and where a software artifact was created is a daunting task. Archivist is an open source In-Toto attestation index and store, allowing you to uncover the history and establish trust of a software artifact. Archivist allows you to discover the attestations you need to satisfy your in-toto policies and ensure only trusted artifacts make it to production. In this talk we’ll use Witness (an In-Toto implementation) to create attestations about a build process of an attestation and store them in Archivist. Then we will create a Witness policy and enforce it while querying Archivist to discover relevant attestations to satisfy the policy.

Sched URL