Collected sources and patterns will appear here. Add from search, explore, or the patterns library.
(StandardSBOMDocument, SigningKey) -> InTotoAttestation
Wrap an SBOM payload inside an in-toto statement and sign it with a key pair to produce a verifiable attestation.
Problem it solves
Software bills of materials can be tampered with in transit, compromising supply-chain trust.
Consumes
Emits
The real projects this mechanism was found in. Attribution is the point — this is how the best teams actually do it.