CNCF Graduates intoto, Bolstering Software Supply Chain Security
Briefly

The Cloud Native Computing Foundation announced on April 23, 2025, that in-toto has graduated, marking its maturity in enforcing supply chain integrity throughout software development. Developed by NYU Tandon, in-toto allows organizations to create policies for authorized actions in the software development lifecycle, thereby preventing tampering and insider threats. The graduation signifies its readiness for production use, supported by agencies like NSF and DARPA. Already adopted by companies like Autodesk and SolarWinds, in-toto addresses critical supply chain threats as highlighted by CNCF’s CTO, ultimately enhancing trust in software delivery.
As software supply chain threats grow in scale and complexity, in‑toto enables organizations to confidently verify their development workflows, reducing risk, enabling compliance, and ultimately accelerating secure innovation.
in‑toto provides a declarative framework enabling organizations to define policies that ensure only authorized actors perform specific build steps in the correct sequence.
Read at InfoQ
[
|
]