In collaboration with X41 and in-toto, OSTIF is pleased to announce the publication of our audit of in-toto’s source code. In-toto, which has implementations in Python and Go, is a framework software for supply chain security. Integrating security and transparency through the entire process of application, in-toto’s holistic view of supply chain security is admired by us at OSTIF. 

Using manual review (aided with differing static code analyzers for the respective code languages), X41 D-sec team identified 1 High, 4 Medium, and 3 Low severity vulnerabilities. In-toto’s source code is foundationally strong, and reviewed all in-scope code in the designated audit period. Furthermore, X41’s team took measures to help improve the overall security posture of in-toto’s code. 

Of the eight vulnerabilities, the most critical could compromise the security chain all the way to final verification. In the Python implementation, multiple vulnerabilities were associated with data verification signed with PGP keys in the layout file imported from GnuPG. 

We extend our gratitude to the in-toto team, CNCF for their funding and support of this audit, and especially X-41DSec for their dedication and hard work on this audit. 

The full report for the in-toto audit can be found here: https://ostif.org/wp-content/uploads/2023/05/X41-in-toto-Audit-2023-Final-Report-PUBLIC.pdf

X41 D-sec’s blog on our audit can be found at https://x41-dsec.de/security/news/2023/05/26/in-toto/