How Autodesk shipped FedRAMP-ready evidence on every commit.
Autodesk integrated Witness and Archivista — the open-source projects behind the TestifySec Platform — into their CI/CD pipelines. The result: continuous, cryptographic evidence for FedRAMP, with zero manual screenshots.
NIST SP 800-204D co-author · CNCF Supply Chain whitepaper contributors · in-toto maintainers
Trusted by Industry Leaders
From manual compliance to continuous attestation.
A heterogeneous stack and a federal ATO on the line.
Autodesk operates a complex, acquisition-heavy tech stack across AutoCAD and its broader Design and Make platform. To sell into the federal government, they needed a FedRAMP Moderate ATO — which meant producing continuous, cryptographic evidence across CI/CD pipelines built on dozens of open-source projects, without slowing developers down or generating manual compliance work.
in-toto, Witness, and Archivista wired into every pipeline.
Jesse Sanford and the AppSec team chose Witness — a CLI observability tool implementing the in-toto specification — to wrap their existing build, test, and IaC steps. Archivista became the central graph database for in-toto attestations, enabling policy decisions to be deferred to later in the SDLC and queried on demand. Both projects are open-source and live in the CNCF.
FedRAMP-ready evidence on every commit. No screenshots.
Today Autodesk generates signed provenance and attestations as a side effect of normal CI/CD. The same evidence base satisfies FedRAMP supply-chain controls, drives policy enforcement at deploy time, and unlocks new federal markets — while the AppSec team continues to contribute back to the in-toto project upstream.
“Witness was absolutely the best fit for us. A single CLI tool that uses the in-toto specification, that can be plugged in to generate attestations and then defer policy decisions to later in the process — it is incredibly powerful.”
in-toto + Witness + Archivista, wired through CI/CD.
Autodesk evaluated commercial supply-chain tools but found them closed and hard to integrate. Witness — built on the open in-toto specification — let them wrap their existing CI/CD steps without re-architecting pipelines. Archivista provided centralized storage and a GraphQL query layer for real-time policy validation.
Static analysis & SBOM
Witness wraps Terraform module analysis, capturing metadata and producing SBOMs for every module with full dependency provenance.
Build & test
Witness generates signed attestations at every build and test step, producing in-toto provenance for every artifact.
Centralized storage
Archivista stores all attestations centrally and exposes them via GraphQL, enabling real-time policy validation without manual evidence collection.
Policy enforcement
At deploy time, Witness and Archivista verify attestations against policy — only signed, compliant artifacts proceed to production.
Why open source mattered
Both Witness and Archivista live in the CNCF, alongside the in-toto project itself. For Autodesk — a long-time CNCF contributor and co-founder of the Cloud Native Operational Excellence group (CNOE) — that impartial, foundation-governed open-source model was a non-negotiable. The team has since contributed pull requests back to Witness, including improvements merged within days of adoption.
Autodesk's AppSec and Developer Enablement teams now use the same evidence base for FedRAMP supply-chain controls, deploy-time policy enforcement, and on-demand attestation queries across the SDLC — with Archivista serving as a common data lake of cryptographic provenance.
Watch Jesse Sanford walk through the full implementation.
Software Architect Jesse Sanford explains how Autodesk integrated Witness and Archivista into production CI/CD pipelines to satisfy FedRAMP supply-chain requirements.
Originally published by the Cloud Native Computing Foundation (CNCF).
Want continuous compliance evidence like Autodesk?
The TestifySec Platform is built on the same open-source tools Autodesk runs in production — Witness and Archivista — with AI-powered control mapping and audit-ready reporting layered on top.