Skip to main content

In-Toto

In-Toto is an open-source software

supply chain security framework (software supply chain security) that records and verifies metadata about each step of a software build and delivery process.

  • Framework for describing software supply chain layouts and expected steps (software supply chain security)
  • Generation and collection of cryptographically verifiable metadata for each supply chain step (software integrity)
  • Verification of recorded steps against a declared layout using cryptographic signatures (software integrity)
  • Integration with existing build, Continuous Integration and Continuous Deployment (CI/CD), and packaging workflows (DevSecOps)
  • Support for securing software artifact provenance and guarding against tampering in transit (artifact provenance)

More About In-Toto

In-Toto is a framework for securing the software supply chain by providing a way to describe, record, and verify every step involved in building, testing, and distributing software (software supply chain security). It addresses risks where attackers attempt to alter code, build configurations, or artifacts at any point between source control and deployment. The project focuses on end-to-end integrity, ensuring that the software an organization deploys corresponds to the intended process and participants defined in advance.

The core concept in In-Toto is the software supply chain “layout” (software supply chain modeling), which defines the sequence of steps, required materials and products, and the authorized functionaries for each step. This layout is signed by a trusted party and acts as the policy against which actual executions are evaluated. Each step in the layout corresponds to a part of the build or release pipeline, such as fetching dependencies, running tests, compiling code, or creating container images.

During execution, In-Toto records cryptographically verifiable metadata, often referred to as “link” metadata, for each defined step (software integrity). This metadata includes information about input and output artifacts, commands executed, and the keys of the functionaries who performed the step. These links are signed and later inspected to verify that the real-world supply chain followed the declared layout. Verification can detect missing steps, unexpected changes to artifacts, or use of unauthorized keys.

In-Toto is designed to integrate with existing CI/CD pipelines and development toolchains (DevSecOps). Build systems and release workflows can invoke In-Toto tooling alongside familiar stages such as compilation, testing, packaging, and image creation. Enterprises can enforce policy-based checks that run before deployment, verifying that all required steps were executed by the correct parties and that no unapproved modifications occurred. This supports compliance and governance use cases where traceability of code and artifacts is required.

From a technical perspective, In-Toto relies on cryptographic signatures and hash-based artifact tracking (cryptographic security). It can work with other supply chain security efforts focused on provenance and attestation, and it contributes a model for representing and verifying the end-to-end process rather than only individual artifacts. For directory and taxonomy purposes, In-Toto fits within software supply chain security, DevSecOps automation, build integrity validation, and artifact provenance verification, and it is relevant to organizations that need policy-driven control over how software is built and moved into production.