Ecosystem | CI/lock

📄️Rookery

Rookery is the modular attestation monorepo where CI/lock is built. It splits the attestation core, every individual attestor, every signer, and the binary builder into separate Go modules so each can be versioned and consumed independently.

📄️Archivista

Archivista is the open-source, self-hosted evidence store CI/lock integrates with — a searchable system for keeping signed build evidence instead of burying it in CI logs. You run and operate it yourself.

📄️Witness

Witness originated at TestifySec and was donated to the CNCF in-toto ecosystem. It is now maintained by the open community.

📄️Cosign

Cosign is the Sigstore project's CLI for signing container images, blobs, and SLSA / in-toto attestations. CI/lock and cosign share the wire format — both produce and consume DSSE-wrapped in-toto Statements — and they sit at different abstraction levels in a supply chain. They are complementary, not competitive.

📄️TestifySec Platform

CI/lock produces signed evidence. The TestifySec platform is the managed home for that evidence — where your attestations are stored, searchable, verifiable, and mapped to the compliance frameworks your auditors care about, with nothing for you to operate.