Skip to main content

cilock and Witness

Witness originated at TestifySec and was donated to the CNCF in-toto ecosystem. It is now maintained by the open community.

Cilock is described in its own source as "a witness-compatible CI attestation CLI with all attestors and signers." The two tools are bidirectionally interoperable.

What witness provides

From the witness project itself:

  • ✏️ Attests: a CLI that integrates into pipelines to create an audit trail using the in-toto specification.
  • 🧐 Verifies: a policy engine with embedded OPA Rego support.
  • Implements in-toto including ITE-5, ITE-6, and ITE-7.
  • Keyless signing with Sigstore (Fulcio) and SPIFFE/SPIRE.
  • RFC 3161 timestamp authority support.
  • Process tracing and process tampering prevention (experimental).
  • Attestation storage with Archivista.
  • Integrations with GitLab, GitHub, AWS, and GCP.

How cilock relates

Cilock is built on the same attestation core that powers witness, both live in the rookery monorepo and share the attestation/ library plus the full set of attestor and signer plugins.

What cilock adds:

  • A CI-focused binary that bundles the attestor and signer set most relevant to CI/CD.
  • Bidirectional interop with witness via legacy type aliases (attestation.RegisterLegacyAliases() is called on startup), so a cilock attestation can be verified by witness verify and vice versa.
  • FIPS mode on by default (//go:debug fips140=on).

Migration notes

If you're coming from witness:

  • The CLI surface (run, sign, verify) maps directly.
  • Attestation envelopes you produced with witness will verify under cilock without modification.
  • Policies signed under witness, the DSSE payload type is https://witness.testifysec.com/policy/v0.1, work with cilock.
  • The full attestor set is the same; cilock's binary registers a CI-focused subset by default. If you depended on an attestor not in cilock's default list (e.g. inspec, kube-bench, nessus, oscap, prowler, vsa), build a custom binary using the rookery builder.

Upstream