CNCF Announces Graduation of in-toto Security Framework, Enhancing Software Supply Chain Integrity Across Industries

NYU Tandon-developed software security framework achieves highest CNCF maturity level, combating rising software supply chain attacks

SAN FRANCISCO, April 23, 2025 /PRNewswire/ -- The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, today announced the graduation of in-toto, a software supply chain security framework developed at the NYU Tandon School of Engineering.

According to Linux Foundation Research's 2024 report Strengthening License Compliance and Software Security with SBOM Adoption, software bills of materials (SBOMs) help organizations identify vulnerabilities early and improve traceability. The report highlights rising regulatory pressure and the need for greater supply chain transparency—priorities that align with in-toto's ability to verify every step in the software lifecycle.

"We're pleased to welcome in-toto as our next CNCF graduated project," said Chris Aniszczyk, CTO, CNCF. "in-toto addresses a critical and growing need in our ecosystem—ensuring trust and integrity in how software is built and delivered. As software supply chain threats grow in scale and complexity, in-toto enables organizations to confidently verify their development workflows, reducing risk, enabling compliance, and ultimately accelerating secure innovation."

in-toto creates a verifiable record of the entire software development lifecycle—from initial coding to end-user installation—ensuring each step is executed by authorized entities in the correct order. This comprehensive approach helps prevent costly security breaches, strengthens compliance with evolving cybersecurity standards, and increases confidence in software reliability. It's already in use by companies like SolarWinds and integrated into industry standards such as OpenVEX and SLSA. Adoption is further supported by tools like Witness and Archivista, which ease implementation and reduce developer overhead for organizations, such as Autodesk.

"The fact that Witness and Archivista have reduced developer friction so significantly has really set the in-toto framework apart for us," said Jesse Sanford, Software Architect at Autodesk. "This tooling makes the process incredibly smooth and means we can now run securely by default. We don't have to ask our software development teams to go through any hurdles to get to the point where proof is generated. Instead, we can leverage toolchains in the critical path of software being promoted to production, to generate enough trust."

Since joining CNCF as a Sandbox project in 2019, in-toto has reached significant milestones, advancing to incubation status in March 2022 and achieving its version 1.0 specification release in June 2023. Its growth continues through strong support from major funding agencies, including the National Science Foundation, Defense Advanced Research Projects Agency, and Air Force Research Laboratory, ensuring ongoing innovation and industry impact.

"in-toto's graduation validates our lab's pioneering work in software security," said Justin Cappos, faculty member in NYU Tandon School of Engineering's Department of Computer Science and Engineering's Department of Computer Science and Engineering and a member of the NYU Center for Cybersecurity, who serves on in-toto's steering committee. "Through the support of our amazing community of in-toto contributors, maintainers, and adopters, what began as an academic research project has evolved into an industry standard, demonstrating how university research can directly address critical real-world cybersecurity challenges."

"With the increasing frequency and sophistication of software supply chain attacks, in-toto's graduation validates its essential role in protecting organizations," said Santiago Torres-Arias, faculty member at the Purdue University Elmore Family School of Electrical and Computer Engineering.

The framework was initially developed under Cappos' supervision by then-student Torres-Arias, alongside collaborators from the New Jersey Institute of Technology. This graduation marks the second CNCF-graduated project led by Cappos, who also oversees The Update Framework (TUF), which protects software update systems and graduated in 2019.

To graduate from incubating status, in-toto underwent a rigorous CNCF review that included publishing end-user case studies and enhancing governance and onboarding practices. Looking forward, the project's roadmap will focus on advancing policy language support, allowing adopters to clearly define and enforce security constraints across their software supply chains.

To learn more about in-toto or to get involved with the community, visit https://in-toto.io.

Additional Resources

• CNCF Newsletter
• CNCF Twitter
• CNCF Website
• Learn About CNCF Membership
• Learn About the CNCF End User Community

About Cloud Native Computing Foundation
Cloud native computing empowers organizations to build and run scalable applications with an open-source software stack across public, private, and hybrid clouds. The CNCF hosts critical components of global technology infrastructure, including Kubernetes, Prometheus, and Envoy, bringing together top developers, end users, and vendors. Supported by over 800 members, including the world's largest technology companies and over 200 innovative startups, CNCF is part of the nonprofit Linux Foundation. For more information, visit www.cncf.io.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact

Kaitlin Thornhill
The Linux Foundation
[email protected]

SOURCE Cloud Native Computing Foundation