Hardware-based attestation and intrusion detection app for Android. It provides both local verification with another Android device via QR codes and optional scheduled server-based verification with support for alert emails. It uses hardware-backed keys and attestation support as the foundation and chains trust to the app for software checks.

SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more

A CNCF Project to Bootstrap & Maintain Trust on the Edge / Cloud and IoT

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

Libraries to abstract aspects of working with TPMs for the purposes of attestation

Confidential Computing Zoo provides confidential computing solutions based on Intel SGX, TDX, HEXL, etc. technologies.

A compilation of resources in the software supply chain security domain, with emphasis on open source

in-toto Attestation Framework

inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

Verax is a shared registry for storing attestations of public interest on EVM chains, designed to enhance data discoverability and consumption for dApps across the network.

Kotlin Multiplatform Crypto/PKI/ASN.1 Library with Attestation and Hardware-Backed Crypto Support on Mobile

attestation.app remote attestation server. Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a remote attestation implementation with email alerts to go along with the local implementation based on QR code scanning in the app.

Attestation and Secret Delivery Components

📜 "Coinbase Verifications" is a set of Coinbase-verified onchain attestations that enable access to apps and other onchain benefits.

🐾 Caracal is pre-execution authority enforcement for AI agents controlling delegated actions with real-time revocation and immutable proof.

Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance

Functionality and DataModels of OWASP CycloneDX for Python

MultiZone® Security TEE is the quick and safe way to add security and separation to any RISC-V processors. The RISC-V standard ISA doesn't define TrustZone-like primitives to provide hardware separation. To shield critical functionality from untrusted third-party components, MultiZone provides hardware-enforced, software-defined separation of multi

Documentation source and development of the PSA Certified API

Server-side library to validate the authenticity of Apple App Attest artifacts, written in Kotlin.

Calculate AMD SEV/SEV-ES/SEV-SNP measurement for confidential computing

A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.

SSH Certificate Authority with device attestation

(Android) Hide encrypted secret API keys in C/C++ code, retrieve and decrypt them via JNI. Google SafetyNet APIs example.

Umbrella repository for blockchain based supply-chain services and clients

vexctl is a tool to attest VEX impact statements

🔴🟡🟢 The Amazing Multipurpose Policy Engine (and L)

A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the system properties from the sample as supplementary information.

Remote Key Attestation

An OIDC authorization server building blocks with security and privacy by design philosophy.