In April, 2025, the Cloud Native Computing Foundation® (CNCF), announced the graduation of in-toto, a ground-breaking software supply chain security framework developed at the NYU Tandon School of Engineering. Achieving graduation status means in-toto has undergone rigorous review by the CNCF that included publishing end-user case studies and enhancing governance and onboarding practices, and has met all necessary requirements. 

As covered in a number of online security publications, including Infoq.com and ITOpsTimes, in-toto creates a verifiable record of an entire software development lifecycle from initial coding to end-user installation. Developed under the guidance of Tandon Professor Justin Cappos, and the leadership of Purdue University Assistant Professor Santiago Torres-Arias—who began work on the program as a Ph.D. student at NYU Tandon—the platform uses a series of signed attestations to ensure that each step is executed in the correct order by authorized entities. Already in use by companies like  GitHub, Datadog (https://www.datadoghq.com/),  Lockheed Martin https://www.lockheedmartin.com/en-us/index.html),  GitLab (https://about.gitlab.com/),  and SolarWinds (https://www.solarwinds.com/), in-toto has also been integrated into industry standards such as OpenVex (https://edu.chainguard.dev/open-source/sbom/what-is-openvex/ OpenVEX) and SLSA (https://slsa.dev/). 

When asked about the project, Professor Cappos said, “It’s been really humbling to have a project that started with 9 months of whiteboard discussions with Santiago turn into the de facto standard for software supply chain security data. We’re humbled by this success and really appreciate all of the community support that has led the project to this milestone.”

In announcing the graduation, Chris Aniszczyk, Chief Technical Officer for the CNCF, noted that “in-toto addresses a critical and growing need in our ecosystem—ensuring trust and integrity in how software is built and delivered. As software supply chain threats grow in scale and complexity, in-toto enables organizations to confidently verify their development workflows, reducing risk, enabling compliance, and ultimately accelerating secure innovation.” Cappos adds that, “Through the support of our amazing community of in-toto contributors, maintainers, and adopters, what began as an academic research project has evolved into an industry standard, demonstrating how university research can directly address critical real-world cybersecurity challenges.”

On April 30, 2025, TechStrong.TV conducted an interview with Torres-Arias about in-toto and the graduation. To watch the video, go to https://techstrong.tv/videos/interviews/santiago-torres-arias-on-in-totos-cncf-graduation.