LET'S TALK
← All work
SLSA v1.0Sigstorein-totoCycloneDX 1.6NIST SSDFEO 14028Deep Prototype

AttestChain — Supply-Chain Attestation Log (SLSA + Sigstore + in-toto)

22 build artifacts (containers + npm + pip + binaries + SDKs) audited against SLSA v1.0 attestation chain. Per artifact: SLSA level (1-4), Sigstore signature, in-toto provenance, SBOM (CycloneDX 1.6), source provenance, runtime verification. Surfaces 4 SLSA Level 1 artifacts (no provenance) + 2 unsigned releases + 1 vendor sidecar mirrored without verification.

AttestChain — Supply-Chain Attestation Log (SLSA + Sigstore + in-toto) preview
Open live →

What it is

The shape behind every modern software-supply-chain program — Chainguard, Phylum, Snyk Container, GitHub Attestations. Per artifact: which SLSA level it’s at, signed by whom, which provenance attestations exist, which SBOM, which runtime verification.

What’s in it

  • 22 build artifacts spanning 12 containers, 2 npm SDKs, 1 Python SDK, 1 CLI binary, 1 Android SDK, 1 iOS SDK, 1 customer-X custom build, 1 marketing static-site bundle, 1 vendor sidecar.
  • 5-axis SLSA check per artifact:
    1. Signature present — Sigstore keyless / cosign key-based / npm provenance / Apple notarization
    2. in-toto provenance — SLSA provenance attestation
    3. SBOM — CycloneDX 1.6 alongside the artifact
    4. Source provenance — signed-commits + branch protection
    5. Runtime verification — admission controller verifies signature at deploy
  • Worst-offender findings:
    • AC-009 legacy-mongo-svc — L1, no provenance, built by ex-employee (cross-references CodeOwnersAudit R22 + RetentionPolicy R035)
    • AC-019 vendor sidecar — L1, vendor binary mirrored without verification. Supply-chain risk.
    • AC-021 legacy-pdf-renderer — built before SLSA adoption. Replace + retire.
  • Per-artifact verification command — copy-pasteable cosign / npm / sigstore verify commands.

Why this shape

NIST SSDF SP 800-218 + Executive Order 14028 made software-supply-chain attestation a federal-procurement requirement. SLSA v1.0 (Aug 2023) defines the levels. Sigstore (cosign + Rekor + Fulcio) is the signing infrastructure; in-toto is the provenance format. CycloneDX 1.6 is the SBOM standard. AttestChain prototypes the inventory that surfaces which artifacts are at which level + which need to climb.

How it ships

Single HTML file, ~17KB. Zero dependencies. 22 artifacts × 5-axis SLSA check + per-type verify command in 200 lines of vanilla JavaScript.

Open the tool →