The Cloud Native Computing Foundation (CNCF) today announced the graduation of in-toto, a software supply chain security framework developed at the NYU Tandon School of Engineering.
According to Linux Foundation Research’s 2024 report “Strengthening License Compliance and Software Security with SBOM Adoption,” software bills of materials (SBOMs) help organizations identify vulnerabilities early and improve traceability. The report highlights rising regulatory pressure and the need for greater supply chain transparency—priorities that align with in-toto’s ability to verify every step in the software lifecycle.
“We’re pleased to welcome in-toto as our next CNCF graduated project,” said Chris Aniszczyk, CTO, CNCF, said in the announcement. “in-toto addresses a critical and growing need in our ecosystem—ensuring trust and integrity in how software is built and delivered. As software supply chain threats grow in scale and complexity, in-toto enables organizations to confidently verify their development workflows, reducing risk, enabling compliance, and ultimately accelerating secure innovation.”
in-toto creates a verifiable record of the software development lifecycle—from initial coding to end-user installation—ensuring each step is executed by authorized entities in the correct order. This approach helps prevent security breaches, strengthens compliance with evolving cybersecurity standards, and increases confidence in software reliability. According to the CNCF announcement, the security framework already is integrated into industry standards such as OpenVEX and SLSA, and adoption is further supported by tools like Witness and Archivista.
in-toto joined the CNCF as a Sandbox project in 2019, the foundation said, and gained incubation status in March 2022, achieving its version 1.0 specification release in June 2023. Driving its growth is funding support from agencies such as the National Science Foundation, Defense Advanced Research Projects Agency, and Air Force Research Laboratory, ensuring ongoing innovation and industry impact.
“in-toto’s graduation validates our lab’s pioneering work in software security,” said Justin Cappos, faculty member in NYU Tandon School of Engineering and a member of the NYU Center for Cybersecurity, who serves on in-toto’s steering committee. “Through the support of our amazing community of in-toto contributors, maintainers, and adopters, what began as an academic research project has evolved into an industry standard, demonstrating how university research can directly address critical real-world cybersecurity challenges.”
“With the increasing frequency and sophistication of software supply chain attacks, in-toto’s graduation validates its essential role in protecting organizations,” said Santiago Torres-Arias, faculty member at the Purdue University Elmore Family School of Electrical and Computer Engineering who worked under Cappos’s supervision to develop the framework. Other collaborators were from the New Jersey Institute of Technology. This graduation marks the second CNCF-graduated project led by Cappos, who also oversees The Update Framework (TUF), which protects software update systems and graduated in 2019.
To learn more about in-toto or to get involved with the community, visit https://in-toto.io.
