Skip to main content

cilock and the TestifySec platform

The TestifySec platform is TestifySec's software supply chain attestation and compliance product, the larger commercial system that production teams use to manage attestations, run policy verification at scale, and produce compliance reports. Per TestifySec, it "enables a unified developer and cybersecurity governance experience to mitigate the risk of software supply chain attacks by integrating zero trust principles of observability and verification into software build pipelines".

Cilock is one of the evidence-producing clients that feeds the TestifySec platform. You can use cilock standalone with file output or Archivista. The TestifySec platform is what you reach for when raw evidence storage isn't enough and you need the platform layer on top, workflow, dashboards, audit reporting, and centralized policy management.

What the TestifySec platform adds on top of cilock

Cilock produces signed attestations and verifies them against policy. The TestifySec platform wraps that with the operational layer most teams need in production:

  • Centralized policy management: author and distribute signed policies across teams without each team running its own policy-signing setup.
  • Compliance reporting: auditor-ready reports tied directly to the underlying signed evidence, instead of manually correlating CI logs.
  • Cross-pipeline visibility: search and dashboards across every cilock-attested step, every repo, every release.
  • Network-restricted operation: designed to ensure software artifacts can attest to policy compliance even in air-gapped or network-restricted environments.

Components

Per TestifySec's AWS Marketplace announcement, the platform bundles four core capabilities:

  • Build pipeline observer: automates collection of trusted telemetry across input, environment, action, and output, cryptographically signed with a self-managed key, a KMS key, or an identity.
  • Certificate Authority: a TestifySec-supported private instance of Fulcio that issues short-lived (10-minute) identity-based certificates, removing the operational burden of key management and rotation.
  • Time Stamping Authority: provides cryptographic proof that data was signed while the certificate was valid, enabling artifact verification across disconnected (air-gapped) environments without relying on an external service.
  • GraphQL data store: managed storage, retrieval, and retention of attestations and trusted telemetry via a GraphQL API, for ad-hoc or deploy-time compliance verification from commit to production.

Cilock plugs in as the "build pipeline observer" component for teams that want to drive evidence collection from CI rather than a platform-managed observer.

CI platform support

The TestifySec platform supports both GitHub and GitLab pipelines, the same two platforms cilock targets out of the box. Attestations cilock produces in either platform feed the TestifySec platform through the same DSSE + in-toto envelope path.

When to use the TestifySec platform vs. just cilock

You needUse
Quick proof-of-concept on a single pipelinecilock alone: file output, no infrastructure
Cross-team evidence storage and searchcilock + Archivista (open-source)
Centralized policy management, compliance reporting, dashboards, network-restricted operation, vendor supportcilock + the TestifySec platform

Cilock and the TestifySec platform are designed to scale together, what you wire up with cilock standalone keeps working when the platform is added on top; the attestations are the same DSSE + in-toto envelopes either way.

Get in touch

For platform access, pricing, or a demo:

Learn more

Primary sources, written by the TestifySec team: