DEVOPSdigest

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of in-toto, a software supply chain security framework developed at the NYU Tandon School of Engineering.

According to Linux Foundation Research’s 2024 report Strengthening License Compliance and Software Security with SBOM Adoption, software bills of materials (SBOMs) help organizations identify vulnerabilities early and improve traceability. The report highlights rising regulatory pressure and the need for greater supply chain transparency—priorities that align with in-toto’s ability to verify every step in the software lifecycle.

Chris Aniszczyk, CTO, CNCF, said: “in-toto addresses a critical and growing need in our ecosystem—ensuring trust and integrity in how software is built and delivered. As software supply chain threats grow in scale and complexity, in-toto enables organizations to confidently verify their development workflows, reducing risk, enabling compliance, and ultimately accelerating secure innovation.”

in-toto creates a verifiable record of the entire software development lifecycle—from initial coding to end-user installation—ensuring each step is executed by authorized entities in the correct order. This comprehensive approach helps prevent costly security breaches, strengthens compliance with evolving cybersecurity standards, and increases confidence in software reliability.

Since joining CNCF as a Sandbox project in 2019, in-toto has reached significant milestones, advancing to incubation status in March 2022 and achieving its version 1.0 specification release in June 2023. Its growth continues through strong support from major funding agencies, including the National Science Foundation, Defense Advanced Research Projects Agency, and Air Force Research Laboratory, ensuring ongoing innovation and industry impact.

“in-toto’s graduation validates our lab’s pioneering work in software security,” said Justin Cappos, faculty member in NYU Tandon School of Engineering’s Department of Computer Science and Engineering’s Department of Computer Science and Engineering and a member of the NYU Center for Cybersecurity, who serves on in-toto’s steering committee. “Through the support of our amazing community of in-toto contributors, maintainers, and adopters, what began as an academic research project has evolved into an industry standard, demonstrating how university research can directly address critical real-world cybersecurity challenges.”

“With the increasing frequency and sophistication of software supply chain attacks, in-toto’s graduation validates its essential role in protecting organizations,” said Santiago Torres-Arias, faculty member at the Purdue University Elmore Family School of Electrical and Computer Engineering.

The framework was initially developed under Cappos’ supervision by then-student Torres-Arias, alongside collaborators from the New Jersey Institute of Technology. This graduation marks the second CNCF-graduated project led by Cappos, who also oversees The Update Framework (TUF), which protects software update systems and graduated in 2019.

To graduate from incubating status, in-toto underwent a rigorous CNCF review that included publishing end-user case studies and enhancing governance and onboarding practices. Looking forward, the project’s roadmap will focus on advancing policy language support, allowing adopters to clearly define and enforce security constraints across their software supply chains.