CI/lock is TestifySec's second in-toto implementation — it speaks the exact same DSSE/in-toto envelopes, so either tool verifies the other's evidence.
One command. Auto-detects your OS/arch, resolves the latest version, and verifies the signed SHA-256 checksums before installing.
curl -fsSL https://cilock.dev/install.sh | bashDrop-in compatible with what you already produce. CI/lock reads and writes the same DSSE/in-toto envelopes as Witness, so there's no re-tooling your attestations — either tool verifies the other's evidence.
CI/lock wraps any CI/CD command and records what actually ran — source, env, argv, and input/output digests. Keyless signing with Fulcio + an RFC 3161 TSA, verifiable fully offline. And a human-signed policy gate that blocks the release until a human signs off — the thing cosign and the SLSA generators don't give you.
50+ attestors via the rookery factory, all Apache-2.0 and self-hostable — with an optional managed TestifySec Platform if you'd rather not run the trust infrastructure yourself.
Witness is our donated CNCF project — CI/lock complements it, it doesn't replace it.