Show HN: CI/Lock – signed evidence of what your CI ran

Category: security

Tags: supply-chain-security, slsa, in-toto, attestation, go, cli-tool, ci-cd

Score: 8.0/10 (Innovation: 8, Technical: 8, Documentation: 9, Utility: 7)

Rookery is a modular supply-chain attestation toolkit for Go that produces signed, in-toto/SLSA-compliant evidence at every stage of the software development lifecycle. It offers a comprehensive CLI (cilock), a rich plugin ecosystem of 50+ attestors, and multiple signing backends, addressing a critical gap in verifying what actually runs in CI/CD pipelines amid rising supply-chain attacks.

Target audience: devops, security engineers, platform engineers, backend devs

Repository: https://cilock.dev/ · Go · Apache-2.0 · 6 stars

View on Hacker News