diff --git a/.clomonitor.yml b/.clomonitor.yml
new file mode 100644
index 00000000..7b5506cf
--- /dev/null
+++ b/.clomonitor.yml
@@ -0,0 +1,21 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+exemptions:
+  - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions)
+    reason: "Project is a CLI tool and is not one of the support types for Artifact Hub" # Justification of this exemption (mandatory, it will be displayed on the UI)
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
new file mode 100644
index 00000000..cdd0f88b
--- /dev/null
+++ b/.github/workflows/fossa.yml
@@ -0,0 +1,28 @@
+name: "Fossa Scan"
+
+on:
+    push:
+      branches: ["main"]
+    pull_request:
+      # The branches below must be a subset of the branches above
+      branches: ["main"]
+    schedule:
+      - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+    fossa-scan:
+      env:
+        FOSSA_API_KEY: ${{ secrets.fossaApiKey }}
+      runs-on: ubuntu-latest
+      steps:
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Checkout Code"
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Run FOSSA Scan"
+          uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+          with:
+            api-key: ${{ env.FOSSA_API_KEY }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 12228a80..1e09db9a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,11 +1,30 @@
-permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
+# Copyright 2022 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 name: release
 on: [push, pull_request]
+
+permissions:
+  contents: read  # This is required for actions/checkout
+
+
 jobs:
   fmt:
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: fmt
@@ -15,6 +34,9 @@ jobs:
   sast:
     needs: [fmt]
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: sast
@@ -24,6 +46,9 @@ jobs:
   unit-test:
     needs: [fmt]
     uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
     with:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: unit-test
@@ -67,8 +92,11 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
+
       - name: Download GoReleaser
-        run: go install github.com/goreleaser/goreleaser@latest
+        run: go install github.com/goreleaser/goreleaser@v1.23.0
 
       - name: Run GoReleaser
         uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index e83537be..d0311f66 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,3 +1,21 @@
+# Copyright 2024 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
 name: Scorecards supply-chain security
 on:
   workflow_dispatch:
@@ -38,7 +56,7 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecards on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
 
           # Publish the results for public repositories to enable scorecard badges. For more details, see
           # https://github.com/ossf/scorecard-action#publishing-results.
diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml
index 415eb405..6fdd09b4 100644
--- a/.github/workflows/verify-licence.yml
+++ b/.github/workflows/verify-licence.yml
@@ -17,7 +17,7 @@ jobs:
           with:
             go-version: '1.18.x'
         - name: Install addlicense
-          run: go install github.com/google/addlicense@latest
+          run: go install github.com/google/addlicense@v1.1.1
         - name: Check license headers
           run: |
             set -e
diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
index 1b031473..2e353ed2 100644
--- a/.github/workflows/witness.yml
+++ b/.github/workflows/witness.yml
@@ -40,9 +40,15 @@ on:
                 required: true
                 type: string
 
+permissions:
+  contents: read
+
 jobs:
     witness:
         runs-on: ubuntu-latest
+        permissions:
+          contents: read
+          id-token: write
         steps:
           - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
           - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 28d21c17..61e29ec8 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -21,6 +21,14 @@ gomod:
   proxy: false
 source:
   enabled: true
+signs:
+  - cmd: cosign
+    args:
+      - "sign-blob"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes" # needed on cosign 2.0.0+
+    artifacts: all
 changelog:
   use: github
   groups:
@@ -49,3 +57,11 @@ kos:
     platforms:
     - linux/amd64
     - linux/arm64
+    sbom: spdx
+docker_signs:
+  - artifacts: manifests
+    cmd: cosign
+    args:
+      - "sign"
+      - "${artifact}"
+      - "--yes" # needed on cosign 2.0.0+
diff --git a/DEPENDENCY.md b/DEPENDENCY.md
new file mode 100644
index 00000000..99f74a1c
--- /dev/null
+++ b/DEPENDENCY.md
@@ -0,0 +1,42 @@
+# Environment Dependencies Policy
+
+## Purpose
+
+This policy describes how Witness maintainers consume third-party packages.
+
+## Scope
+
+This policy applies to all Witness maintainers and all third-party packages used in the Witness project.
+
+## Policy
+
+Witness maintainers must follow these guidelines when consuming third-party packages:
+
+- Only use third-party packages that are necessary for the functionality of Witness.
+- Use the latest version of all third-party packages whenever possible.
+- Avoid using third-party packages that are known to have security vulnerabilities.
+- Pin all third-party packages to specific versions in the Witness codebase.
+- Use a dependency management tool, such as Go modules, to manage third-party dependencies.
+
+## Procedure
+
+When adding a new third-party package to Witness, maintainers must follow these steps:
+
+1. Evaluate the need for the package. Is it necessary for the functionality of Witness?
+2. Research the package. Is it well-maintained? Does it have a good reputation?
+3. Choose a version of the package. Use the latest version whenever possible.
+4. Pin the package to the specific version in the Witness codebase.
+5. Update the Witness documentation to reflect the new dependency.
+
+## Enforcement
+
+This policy is enforced by the Witness maintainers.
+Maintainers are expected to review each other's code changes to ensure that they comply with this policy.
+
+## Exceptions
+
+Exceptions to this policy may be granted by the Witness project lead on a case-by-case basis.
+
+## Credits
+
+This policy was adapted from the [Kubescape Community](https://github.com/kubescape/kubescape/blob/master/docs/environment-dependencies-policy.md)
diff --git a/README.md b/README.md
index e563ce1a..fe5a9271 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,13 @@
-[![OpenSSF
--Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness)
-
 <p align="center">
   <img src="docs/assets/logo.png" width="250">
   <br>
   Witness is a pluggable framework for supply chain security
 </p>
 
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8280/badge)](https://www.bestpractices.dev/projects/8280)
+[![OpenSSF-Scorecard](https://api.securityscorecards.dev/projects/github.com/testifysec/witness/badge)](https://api.securityscorecards.dev/projects/github.com/testifysec/witness)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness.svg?type=shield&issueType=license)](https://app.fossa.com/projects/custom%2B41709%2Fgithub.com%2Fin-toto%2Fwitness?ref=badge_shield&issueType=license)
+
 [![asciicast](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D.svg)](https://asciinema.org/a/2DZRRh8uzrzHcUVL8md86Zj4D)
 
 # Witness - Secure Your Supply Chain
@@ -26,22 +27,24 @@ Witness works by wrapping commands executed in a continuous integration process,
 
 ## Witness is a pluggable framework for supply chain security
 
- - It creates an evidence trail of the entire software development life cycle (SDLC) that can be used to evaluate policy compliance and detect any potential tampering or malicious activity.
- - It is designed to run in both containerized and non-containerized environments and does not require elevated privileges.
- - It supports most major CI and infrastructure providers, making it a versatile and flexible solution for securing software supply chains.
- - It uses a secure PKI distribution system and allows for verification of Witness metadata to further enhance security and mitigate against software supply chain attack vectors.
+- It creates an evidence trail of the entire software development life cycle (SDLC) that can be used to evaluate policy compliance and detect any potential tampering or malicious activity.
+- It is designed to run in both containerized and non-containerized environments and does not require elevated privileges.
+- It supports most major CI and infrastructure providers, making it a versatile and flexible solution for securing software supply chains.
+- It uses a secure PKI distribution system and allows for verification of Witness metadata to further enhance security and mitigate against software supply chain attack vectors.
 
 ## Key Features
- - Implementation of the in-toto specification including ITE-5, ITE-6, and ITE-7, and an embedded rego policy engine for build policy enforcement.
- - Support for keyless signing with Sigstore and SPIFFE/SPIRE, and uploading attestation evidence to the Archivista server.
- - Support for RFC3161 compatible timestamp authorities
- - Experimental support for process tracing and process tampering prevention.
- - Verifies file integrity between CI steps and across air gap.
- - Support for Darwin, Windows, and ARM architectures.
- - Can use Archivista as an attestation store.
- - Integrations with GitLab, GitHub, AWS, and GCP.
+
+- Implementation of the in-toto specification including ITE-5, ITE-6, and ITE-7, and an embedded rego policy engine for build policy enforcement.
+- Support for keyless signing with Sigstore and SPIFFE/SPIRE, and uploading attestation evidence to the Archivista server.
+- Support for RFC3161 compatible timestamp authorities
+- Experimental support for process tracing and process tampering prevention.
+- Verifies file integrity between CI steps and across air gap.
+- Support for Darwin, Windows, and ARM architectures.
+- Can use Archivista as an attestation store.
+- Integrations with GitLab, GitHub, AWS, and GCP.
 
 ## How it works
+
 - Witness wraps commands executed during a continuous integration process to create an evidence trail of the entire software development life cycle (SDLC)
 - It records secure hashes of materials, artifacts, and events that occur during the CI process
 - This evidence can be used to evaluate policy compliance, detect tampering or malicious activity, and ensure only authorized users or machines complete a step of the process
@@ -54,7 +57,6 @@ Witness works by wrapping commands executed in a continuous integration process,
 - It supports Darwin, Windows, and ARM architectures and can use [Archivista](https://github.com/testifysec/archivista) as an attestation store
 - Overall, Witness acts as a comprehensive framework for automated governance, providing a robust solution for securing the software supply chain.
 
-
 ## Witness Examples
 
 - [Verify an Artifact Policy](https://github.com/testifysec/witness-examples/blob/main/keypair/README.md)
@@ -117,19 +119,20 @@ Witness works by wrapping commands executed in a continuous integration process,
 ## Quick Start
 
 ### Download the Binary
+
 Download from the releases page or use the install script to download the latest release.
 
 [Releases](https://github.com/testifysec/witness/releases)
-```
+
+```bash
 bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
 ```
 
-
 ### Create a Keypair
 
 > Witness supports keyless signing with [SPIRE](https://spiffe.io/)!
 
-```
+```bash
 openssl genpkey -algorithm ed25519 -outform PEM -out testkey.pem
 openssl pkey -in testkey.pem -pubout > testpub.pem
 ```
@@ -141,7 +144,7 @@ openssl pkey -in testkey.pem -pubout > testpub.pem
 > - `witness help` will show all configuration options
 > - command-line arguments overrides configuration file values.
 
-```
+```yaml
 ## .witness.yaml
 
 run:
@@ -161,7 +164,7 @@ verify:
 > - Defining step names is important, these will be used in the policy.
 > - This should happen as a part of a CI step
 
-```
+```bash
 witness run --step build -o test-att.json -- go build -o=testapp .
 ```
 
@@ -170,7 +173,7 @@ witness run --step build -o test-att.json -- go build -o=testapp .
 > - This data can be stored and retrieved from Archivista
 > - This is the data that is evaluated against the Rego policy
 
-```
+```bash
 cat test-att.json | jq -r .payload | base64 -d | jq
 ```
 
@@ -184,7 +187,7 @@ Look [here](docs/policy.md) for full documentation on Witness Policies.
 > - Witness will require all attestations to succeed
 > - Witness will evaluate the rego policy against the JSON object in the corresponding attestor
 
-```
+```json
 ## policy.json
 
 {
@@ -224,7 +227,7 @@ Look [here](docs/policy.md) for full documentation on Witness Policies.
 
 ### Replace the variables in the policy
 
-```
+```bash
 id=`sha256sum testpub.pem | awk '{print $1}'` && sed -i "s/{{PUBLIC_KEY_ID}}/$id/g" policy.json
 pubb64=`cat testpub.pem | base64 -w 0` && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g" policy.json
 ```
@@ -233,7 +236,7 @@ pubb64=`cat testpub.pem | base64 -w 0` && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g
 
 Keep this key safe, its owner will control the policy gates.
 
-```
+```bash
 witness sign -f policy.json --signer-file-key-path testkey.pem --outfile policy-signed.json
 ```
 
@@ -243,7 +246,7 @@ witness sign -f policy.json --signer-file-key-path testkey.pem --outfile policy-
 > `witness verify` will return a `non-zero` exit and reason in the case of failure. Success will be silent with a `0` exit status
 > for policies that require multiple steps, multiple attestations are required.
 
-```
+```bash
 witness verify -f testapp -a test-att.json -p policy-signed.json -k testpub.pem
 ```
 
@@ -253,7 +256,7 @@ witness verify -f testapp -a test-att.json -p policy-signed.json -k testpub.pem
 
 Witness attestors are pieces of code that assert facts about a system and store those facts in a versioned schema. Each attestor has a `Name`, `Type`, and `RunType`. The `Type` is a versioned string corresponding to the JSON schema of the attestation. For example, the AWS attestor is defined as follows:
 
-```
+```go
   Name    = "aws"
   Type    = "https://witness.dev/attestations/aws/v0.1"
   RunType = attestation.PreRunType
@@ -286,6 +289,7 @@ Examples of cryptographic validation is found in the [GCP](https://github.com/te
 ## Attestor Types
 
 ### Pre-material Attestors
+
 - [AWS](docs/attestors/aws-iid.md) - Attestor for AWS Instance Metadata
 - [GCP](docs/attestors/gcp-iit.md) - Attestor for GCP Instance Identity Service
 - [GitLab](docs/attestors/gitlab.md) - Attestor for GitLab Pipelines
@@ -295,12 +299,15 @@ Examples of cryptographic validation is found in the [GCP](https://github.com/te
 - [JWT](docs/attestors/jwt.md) - Attestor for JWT Tokens
 
 ### Material Attestors
+
 - [Material](docs/attestors/material.md) - Records secure hashes of files in current working directory
 
 ### Execute Attestors
+
 - [CommandRun](docs/attestors/commandrun.md) - Records traces and metadata about the actual process being run
 
 ### Product Attestors
+
 - [Product](docs/attestors/product.md) - Records secure hashes of files produced by commandrun attestor (only detects new files)
 
 ### Post-product Attestors
@@ -335,7 +342,6 @@ Witness can consume ephemeral keys from a [SPIRE](https://github.com/spiffe/spir
 
 During the verification process witness will use a source of trusted time such as a timestamp from a timestamp authority to make a determination on certificate validity. The SPIRE certificate only needs to remain valid long enough for a timestamp to be created.
 
-
 ## Support
 
 [TestifySec](https://testifysec.com) Provides support for witness and other CI security tools.
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
new file mode 100644
index 00000000..5cf89858
--- /dev/null
+++ b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,81 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+header:
+  schema-version: 1.0.0
+  expiration-date: '2024-08-31T10:10:09.000Z'
+  last-updated: '2023-01-05'
+  last-reviewed: '2023-01-05'
+  commit-hash: cd0c222058a8830a8e190b840e466098b25a3c41
+  project-url: https://github.com/in-toto/witness
+  project-release: 'v0.2.0'
+  changelog: https://github.com/in-toto/witness/releases/tag/v0.2.0
+  license: https://github.com/in-toto/witness/blob/main/LICENSE
+
+project-lifecycle:
+  status: active
+  roadmap: https://github.com/orgs/in-toto/projects/4/views/3
+  bug-fixes-only: false
+  core-maintainers:
+  - https://github.com/in-toto/witness/MAINTAINERS.md
+  release-cycle: https://github.com/in-toto/witness/releases
+
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  contributing-policy: https://github.com/in-toto/witness/blob/main/CONTRIBUTING.md
+  code-of-conduct: https://github.com/in-toto/witness/blob/main/CODE_OF_CONDUCT.md
+
+documentation:
+  - https://witness.dev
+
+distribution-points:
+  - https://github.com/in-toto/witness/releases
+
+security-testing:
+- tool-type: sca
+  tool-name: Dependabot
+  tool-version: 2
+  tool-url: https://github.com/dependabot
+  integration:
+    ad-hoc: false
+    ci: true
+    before-release: false
+
+security-contacts:
+- type: email
+  value: security@testifysec.com
+  primary: true
+
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: security@testifysec.com
+  security-policy: https://github.com/in-toto/witness/SECURITY.md
+
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - https://github.com/in-toto/witness/go.mod
+  sbom:
+  - sbom-file: https://foo.bar/sbom
+    sbom-format: CycloneDX
+    sbom-url: https://foo.bar
+  dependencies-lifecycle:
+    policy-url: https://github.com/in-toto/witness/SECURITY.md
+    comment: |
+      All dependencies are subject to the Witness Security Policy.
+  env-dependencies-policy:
+    policy-url: https://github.com/in-toto/witness/DEPENDENCY.md
+    comment: |
+      All dependencies are subject to the Witness Dependency Policy.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..1c558ac9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,34 @@
+# Security Policy
+
+## Security Bulletins
+
+See current security bullentins on GitHub: https://github.com/in-toto/witness/security/advisories
+
+For information regarding the security of this project please join:
+
+* in-toto-witness on CNCF Slack
+
+## Reporting a Vulnerability
+
+Please use the below process to report a vulnerability to the project:
+
+Web Form:
+
+1. Please visit https://github.com/in-toto/witness/security/advisories/new
+   * You will receive a confirmation email upon submission
+1. You may be contacted by a maintainer to further discuss the reported item
+   within 3 days. Please bear with us as we seek to understand the breadth
+   and scope of the reported problem, recreate it, and confirm if there is an
+   vulnerability present.
+
+This project follows a 30 day disclosure timeline.
+
+## Supported Versions
+
+Information regarding supported versions of this project can be found on
+in the below table:
+
+| Version | Supported |
+| --- | --- |
+| Latest | :white_check_mark: |
+| <= Latest - 2 | :x: |
diff --git a/dev/Dockerfile.go-builder b/dev/Dockerfile.go-builder
index 2f98ea11..9bf246c8 100644
--- a/dev/Dockerfile.go-builder
+++ b/dev/Dockerfile.go-builder
@@ -1,2 +1,2 @@
-FROM golang:1.21.3
+FROM golang:1.21.3@sha256:b113af1e8b06f06a18ad41a6b331646dff587d7a4cf740f4852d16c49ed8ad73
 COPY  ./bin/witness /usr/bin