The Cloud Native Computing Foundation has announced the graduation of in-toto, a software supply chain security framework developed at NYU Tandon, which enhances software integrity by verifying every step in the development lifecycle. With rising supply chain attacks, in-toto's capabilities to ensure trust and compliance are increasingly vital for organizations seeking secure innovation. The project has evolved from academic research to an industry standard, supported by major funding agencies and notable adoption by companies like SolarWinds and Autodesk.

Witness is a dynamic CLI tool that enhances software supply chain security by creating an audit trail throughout the software development lifecycle (SDLC) using the in-toto specification. It features a policy engine for enforcement, supports various integrations, and allows for keyless signing and attestation storage. The tool is maintained by the open community and offers both free and commercial support options.