Uncovering the History of Your Software Artifacts

Archivist is a graph database and service that indexes Toto attestations to find and discover relevant attestations using a GraphQL API.

• Archivist is designed to archive more data and make finding relevant attestations easier
• Archivist uses Toto attestations as graph edges and indexes them onto a graph using Dgraph
• Archivist exposes a GraphQL API for users to query and refine their searches over time
• Archivist pulls out specific information such as what attestations were in the Toto attestation and the signatures before pulling the attestation
• Archivist uses in Toto subjects as graph edges and the statement itself as arbitrary data
• Archivist can be used to find code review attestations and other relevant attestations to prove policy enforcement

The speaker demonstrated how Archivist can be used to enforce policies by creating a witness policy that describes what should have happened during the build process of a program. Archivist can then be used to find relevant attestations to prove policy enforcement.

Discovering who, how, and where a software artifact was created is a daunting task. Archivist is an open source In-Toto attestation index and store, allowing you to uncover the history and establish trust of a software artifact. Archivist allows you to discover the attestations you need to satisfy your in-toto policies and ensure only trusted artifacts make it to production. In this talk we’ll use Witness (an In-Toto implementation) to create attestations about a build process of an attestation and store them in Archivist. Then we will create a Witness policy and enforce it while querying Archivist to discover relevant attestations to satisfy the policy.