Source: witness Section: golang Maintainer: Debian Go Packaging Team Uploaders: Simon Josefsson , Build-Depends: debhelper-compat (= 13), dh-sequence-golang, golang-any, golang-github-gobwas-glob-dev, golang-github-in-toto-go-witness-dev, golang-github-invopop-jsonschema-dev, golang-github-olekukonko-tablewriter-dev, golang-github-open-policy-agent-opa-dev, golang-github-sigstore-fulcio-dev, golang-github-sirupsen-logrus-dev, golang-github-spf13-cobra-dev, golang-github-spf13-pflag-dev, golang-github-spf13-viper-dev, golang-github-stretchr-testify-dev, golang-k8s-apimachinery-dev, Testsuite: autopkgtest-pkg-go Standards-Version: 4.7.3 Vcs-Browser: https://salsa.debian.org/go-team/packages/witness Vcs-Git: https://salsa.debian.org/go-team/packages/witness.git Homepage: https://github.com/in-toto/witness XS-Go-Import-Path: github.com/in-toto/witness Package: witness Section: devel Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, Built-Using: ${misc:Built-Using}, Static-Built-Using: ${misc:Static-Built-Using}, Description: software supply chain risk management framework (program) What does Witness do? . ✏️ **Attests** - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification. . **🧐 Verifies** - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment. . What can you do with Witness? . * Verify how your software was produced and what tools were used * Ensure that each step of the supply chain was completed by authorized users and machines * Detect potential tampering or malicious activity * Distribute attestations and policy across air gaps . Key Features . * Integrations with GitLab, GitHub, AWS, and GCP. * Designed to run in both containerized and non-containerized environments **without** elevated privileges. * Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7) * An embedded OPA Rego policy engine for policy enforcement * Keyless signing with Sigstore and SPIFFE/SPIRE * Integration with RFC3161 compatible timestamp authorities * Process tracing and process tampering prevention (Experimental) * Attestation storage with Archivista (https://github.com/in- toto/archivista) . This package contains the binaries. Package: golang-github-in-toto-witness-dev Architecture: all Multi-Arch: foreign Depends: ${misc:Depends}, Description: software supply chain risk management framework (library) What does Witness do? . ✏️ **Attests** - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification. . **🧐 Verifies** - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment. . What can you do with Witness? . * Verify how your software was produced and what tools were used * Ensure that each step of the supply chain was completed by authorized users and machines * Detect potential tampering or malicious activity * Distribute attestations and policy across air gaps . Key Features . * Integrations with GitLab, GitHub, AWS, and GCP. * Designed to run in both containerized and non-containerized environments **without** elevated privileges. * Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7) * An embedded OPA Rego policy engine for policy enforcement * Keyless signing with Sigstore and SPIFFE/SPIRE * Integration with RFC3161 compatible timestamp authorities * Process tracing and process tampering prevention (Experimental) * Attestation storage with Archivista (https://github.com/in- toto/archivista) . This package contains the Go library.