Beta — Werfty is under active development. Interfaces may change between releases.

Werfty

Sign and verify software bill of materials attestations for Docker images and Python packages.

OCI Registry →

Cosign-signed SBOM attestations

Werfty signs a tamper-proof SBOM directly against your Docker image or PyPI package — anyone can verify it hasn't changed.

Standard OCI storage

Attestations live in a standard OCI registry alongside your images — no proprietary silo, no lock-in. Addressable by image ref.

CI-scriptable verification

One command, werfty-verify, tells you whether a package's SBOM is trusted, untrusted, or missing. Exits 0/1/2 — gates the deploy cleanly.

Offline signing workflow

Generate your SBOM in one environment and sign it in another — your signing keys never touch your build servers.

How it works

  1. Generate

    Run werfty-generate against your Docker image or PyPI package to produce a signed SBOM.

  2. Attest

    Run werfty-attest to push the SBOM as a cosign attestation to your OCI registry.

  3. Verify

    Run werfty-verify docker <image> or werfty-verify pypi <package> — in CI or locally — to confirm the attestation is valid.

Public trust registry coming soon

A hosted OCI registry at trust.werfty.io is on the roadmap — a public HTTPS endpoint where you can publish and query SBOM attestations without running your own Zot instance.