Platform Driven Compliance with Sigstore at Autodesk
Why Autodesk built compliance into the platform
Pursuing FedRAMP authorization is normally a months-long evidence-collection exercise — screenshots, spreadsheets, and pipeline logs reconstructed after the fact. Autodesk's platform team rejected that model. Instead, they built compliance into the developer pipeline so the evidence is produced as a side effect of normal work.
In this talk, Autodesk Software Architect Jesse Sanford walks through how his team uses Sigstore for keyless container image signing, in-toto attestations generated by Witness, and Archivista as the central evidence store. Together, these tools satisfy multiple FedRAMP supply-chain controls without adding manual compliance work to developer workflows.
What the talk covers
Selecting an open-source supply-chain stack; integrating Witness into existing CI/CD steps with minimal changes; structuring attestations so policy decisions can be deferred to later in the SDLC; and how Archivista's queryable evidence store lets the compliance team answer auditor questions on demand instead of chasing screenshots quarter after quarter.
Originally published by the Cloud Native Computing Foundation (CNCF). Talk delivered by Jesse Sanford, Software Architect at Autodesk.
Key Takeaways
"Witness was absolutely the best fit for us. A single CLI tool that uses the in-toto specification, that can be plugged in to generate attestations and then defer policy decisions to later in the process — it is incredibly powerful." — Jesse Sanford
Container image signing via Sigstore satisfies FedRAMP controls concerned with container provenance.
Witness wraps existing build, test, and IaC steps to capture in-toto attestations without re-architecting pipelines.
Archivista centralizes attestations in a graph database so policy decisions can be deferred to later in the SDLC.
"The fact that Witness and Archivista have reduced developer friction so significantly has really set the in-toto framework apart for us." — Jesse Sanford
The same open-source stack delivers evidence for FedRAMP supply chain controls and the SLSA framework.
Watch the Full Presentation
insights on compliance
About the Speaker
Jesse Sanford
Jesse Sanford is a Software Architect at Autodesk, working at the intersection of platform engineering and security/compliance on the Developer Enablement team. He helped design the system Autodesk uses to perform container image signing for container-based workloads on the company's continuous delivery platform, supporting FedRAMP container-provenance controls.
His team's adoption of Witness, Archivista, and in-toto has been documented as a CNCF case study and shared at multiple CNCF and KubeCon events.
Related Resources
Autodesk Case Study (CNCF)
CNCF write-up of how Autodesk uses Witness, Archivista, and Sigstore to satisfy FedRAMP supply-chain controls.
Witness Documentation
Complete guide to implementing Witness in your CI/CD pipelines.
Archivista GitHub Repository
Open-source attestation storage and retrieval system.
In-toto Specification
Framework for securing software supply chains.
Sigstore
Keyless signing for software artifacts and container images.
Autodesk Case Study (TestifySec)
TestifySec's view of the same engagement, with implementation detail and outcomes.
Schedule a Demo
See how TestifySec automates compliance evidence collection.