OpenSSF Community Day North America 2025

U.S. executive orders 14028 and 14144 are driving greater adoption of supply chain security and transparency. The in-toto framework, a widely-deployed CNCF project, provides tools and data formats for generating and verifying authenticated supply chain metadata such as SBOMs and SLSA Build Provenance. in-toto plays a central role in enabling vendors to comply with regulations, but consumers and auditors still face challenges defining intuitive policies that allow them to derive meaning from existing attestations.

This session will present ongoing work on in-toto policies, where the community has been (re)defining policy specification and artifact verification for a rapidly evolving supply chain ecosystem. It starts with a brief introduction to the in-toto Attestation Framework, which is a standard way to describe supply chain data. This will be followed by sharing how the previous version of in-toto policies were unfortunately incompatible with new attestations formats. This concludes by demoing in-toto’s new policy framework that not only links attestations but also does so in more powerful, flexible, and user-friendly ways that accommodate a wide variety of real-world use cases.