Community Edition · early access

Your fleet's
attestation tree.

Every Windows artifact — winget, npm, pip, Choco, MSIs, drivers, Windows Update — gets a signed SBOM and attestation at ingest, before any endpoint installs it.

Run it free Read the wedge

Free Community Edition — self-host up to 50 endpoints, no Azure.

ATTESTATION TREE · live depth 3 · 7 nodes

ATTESTED SOURCES

winget npm pip choco scoop dotnet-tool ps-gallery msi msix windows-update

THE WEDGE

Most tools scan after install. Attestree attests before it.

Scanning is a confession. By the time a CVE shows up in your dashboard, the artifact is already running on your fleet. We move provenance to ingest.

Provenance at ingest One tree, every artifact Ship signed evidence

SAMPLE ATTESTATION

An in-toto statement, signed at the moment of detonation.

SLSA v1 provenance, CycloneDX SBOM digest, ed25519 signature. Verifiable with one CLI call or a 30-line Python snippet.

Microsoft.PowerToys-0.81.1.attest.json

verified · att-root-2026-04


        1
        {
      

        2
          "_type": "https://in-toto.io/Statement/v1",
      

        3
          "subject": [{
      

        4
            "name": "winget://Microsoft.PowerToys",
      

        5
            "digest": { "sha256": "9c4f7b1e4a2d8b7e9c1f0a3b5d6e7f8a1b2c3d4e5f60718293a4b5c6d7e8f9a0" }
      

        6
          }],
      

        7
          "predicateType": "https://slsa.dev/provenance/v1",
      

        8
          "predicate": {
      

        9
            "buildDefinition": {
      

        10
              "buildType": "https://attestree.com/builds/winget-detonate@v1",
      

        11
              "externalParameters": {
      

        12
                "source": "winget-pkgs/manifests/m/Microsoft/PowerToys/0.81.1",
      

        13
                "channel": "stable"
      

        14
              }
      

        15
            },
      

        16
            "runDetails": {
      

        17
              "builder": { "id": "https://attestree.com/runners/win-2025-amd64/r-7c33" },
      

        18
              "metadata": {
      

        19
                "invocationId": "att_01JK4M9F2X5W8H6P0Q1R2S3T4U",
      

        20
                "startedOn":   "2026-04-29T14:02:11Z",
      

        21
                "finishedOn":  "2026-04-29T14:04:03Z"
      

        22
              }
      

        23
            },
      

        24
            "sbom": {
      

        25
              "format": "CycloneDX-1.6",
      

        26
              "componentCount": 412,
      

        27
              "digest": "sha256:e45a91d2c0b3a4e5f6a7b8c9d0e1f2a3b4c5d6e7f8091a2b3c4d5e6f70819203"
      

        28
            },
      

        29
            "signature": {
      

        30
              "alg": "ed25519",
      

        31
              "keyId":  "att-root-2026-04",
      

        32
              "value":  "MEUCIQDx9k...cWZ0nQv5wA=="
      

        33
            }
      

        34
          }
      

        35
        }

FOR YOUR FLEET

Same tree.
Five postures.

Whether you run two laptops or twenty thousand, the attestation primitive is identical. Policy, deployment, and evidence shape themselves to your environment.

01 Hobbyists & enthusiasts