witness
« Back to VersTracker
Description:
Automates, normalizes, and verifies software artifact provenance
Type: Formula  |  Latest Version: 0.10.1@0  |  Tracked Since: Oct 15, 2025
Links: Homepage  |  formulae.brew.sh
Category: Security
Tags: security provenance supply-chain attestation devops
Install: brew install witness
About:
Witness is a toolchain for creating and verifying software supply chain attestations using in-toto. It integrates with CI/CD pipelines to wrap build steps, automatically generating provenance metadata. This allows users to verify the origin and integrity of artifacts, ensuring they haven't been tampered with.
Key Features:
  • Automated attestation generation during builds
  • Cryptographic verification of artifact provenance
  • Integration with in-toto and Sigstore
  • Policy-based verification framework
Use Cases:
  • Securing CI/CD pipelines against tampering
  • Generating verifiable build provenance for compliance
  • Verifying artifact integrity before deployment
Alternatives:
  • SLSA Generator – Witness is framework-agnostic and focuses on in-toto, while SLSA Generator is specific to GitHub Actions and SLSA levels.
  • in-toto – Witness provides a higher-level, CI/CD-focused wrapper around in-toto's lower-level cryptographic primitives.
Version History
Detected Version Rev Change Commit
Oct 15, 2025 8:47pm 0 VERSION_BUMP 74d3d35e
Oct 10, 2025 1:37am 0 VERSION_BUMP d9a07ceb
Sep 11, 2025 8:49pm 0 VERSION_BUMP 00e510a6
« Back to VersTracker  |  Browse Packages  |  About