[translation] supply chain security project in toto moved to CNCF incubator

CNCF Technical Supervision Committee （TOC） Have voted to accept in-toto As CNCF The incubation program of .

in-toto It is a framework to protect the software supply chain by collecting and verifying relevant data . It enables libraries to collect information about software supply chain behavior , And allow software consumers and project managers to publish information about software supply chain practices policy , To verify before deploying or installing the software . In short , It helps capture What happens in the software supply chain , And ensure It happens according to defined policies .

in-toto The project was carried out by the Safety Systems Laboratory of the tanton School of engineering, New York University in 2015 Created in . From then on , It has been developing , To better adapt to the practices of different software ecosystems , And better integrate with other cloud technologies , Such as SPIFFE and SPIRE. Because a chain is only strong in its weakest link , The project still has enough plasticity , To protect every aspect of the software supply chain -- From source code to Kubernetes Admission in clusters and other aspects .

"CNCF TOC Members and project sponsors Justin Cormack say ：" Supply chain security is one of the biggest challenges facing today's software ecosystem ." A typical software supply chain consists of many steps " Series connection " Formed , Including writing 、 test 、 Package and distribute software . More steps mean that an organization may have more vulnerabilities .in-toto Solve this problem by providing a safe and trusted way to represent and prove all operations in the cloud native pipeline . We see strong support from the community ."

since 2019 To join in CNCF Since sandbox ,in-toto already , Attracted from 16 Add more than... From different organizations 132 Name contributor , Now there are from 5 Organized 8 Maintainers and approvers .

In the past three years ,in-toto The team has been focusing on achieving stability by adding or modifying functions , Including support SPIFFE、 More expressive evidence collection and implementation in different languages , Such as Rust. The project is also integrated into important security applications , Such as Reproducible Builds and Sigstore.

in-toto Has been included Datadog、Google Grafeas、Kubesec.io、rebuilderd、SolarWinds、Sigstore Of Cosign And other organizations adopt .Datadog Use it to protect their The Conduit ,SolarWinds Use it to avoid future emergence and 2019 year SUNBURST The same scale of the hacker incident . Besides , image rebuilderd Such projects have produced in-toto attestations, In order to build encrypted authentication - Reproducibility check . Last ,Sigstore Part of cosign Wait for the project to use in-toto As the underlying technology to prove various supply chain behaviors . in fact ,in-toto yes sigstore On The second use mechanism .

in-toto And the first to pass CNCF Of TAG Safety assessment items .

Significant milestones .

• 500 Multiple GitHub The star
• 700 Pull request
• 194 A question
• 45 Contributors
• 32 Releases

" Chief technology officer of cloud native Computing Foundation Chris Aniszczyk say ：" In the past few years , We see that the attack frequency and severity of the entire software supply chain are increasing , Even the White House recently issued an executive order ." We are pleased to have a project that provides innovation in the field of supply chain security , We look forward to seeing cooperation between communities , Continue to make the cloud native ecosystem more secure ."

since 2020 Released in 1.0 since ,in-toto Has been focused on providing stability for existing integrations . In the coming year , The team plans to add exciting new features , Including support for expression type tracking during evidence collection , Yes SLSA Proof processing provides better local support , And simpler policy language , as well as " Best supply chain practices " A collection of policies , In order to facilitate the project that wants to ensure its supply chain to adopt . Please read the item The roadmap More in .
As a CNCF Managed projects ,in-toto It is part of a neutral foundation consistent with its technical interests , It's also bigger Linux Part of the foundation , The latter provides management 、 Marketing support and community promotion .in-toto Added incubation Technology Argo, Buildpacks, Chaos Mesh, CIlium, CloudEvents, CNI, Contour, Cortex, CRI-O, Crossplane, Dapr, Dragonfly, emissary-ingress, Falco, Flagger, Flux, gRPC, KEDA, Knative, KubeEdge, Litmus, Longhorn, NATS, Notary, OpenMetrics, OpenTelemetry, Operator Framework, SPIFFE, SPIRE, and Thanos. More information about maturity requirements at each level , Please visit CNCF Graduation criteria .