revelio

DISCLAIMER: PoC / WIP - Feedback is welcome !

Revelio brings auditability and integrity checks for open-source projects that live on the web.

It tries to answer the question:

What is the original source code of what's running on my machine, and how was it built ?

By linking auditability (linking to the public build process that created the artifacts and the original sources) with integrity (checking that built artifacts have not been tampered with at any point in storage or transport), Revelio automates transparency checks.

Usage

• [x] [Setup for Travis CI](./docs/usage/travis-ci.md)
• [x] [Setup for CircleCI](./docs/usage/circle-ci.md)
• [ ] GitLab CI
• [ ] Azure Pipelines
• [ ] Bitbucket Pipelines
• [ ] Jenkins

The revelio CLI tool

revelio is a command-line tool that does the following things:

• When running in a public CI, generate a revelio.json file.
• Verify a URL that contains a public /.well-known/revelio.json file.

For more details, see the documentation for revelio.

FAQ

How do I use it for private repositories ?

The core idea behind this project is to bring trust through transparency. Therefore, it will only ever work with public repositories and public CI services.

License

The MIT License (MIT)

Copyright (c) 2019 - present, François Best