Merge pull request #98 from anvega/main

JustinCappos · web-flow · commit a519a5b7317d · 2025-09-18T07:37:07.000-04:00
Add Palantir to Project Adopters
diff --git a/README.md b/README.md
@@ -13,6 +13,7 @@ This section lists organizations or individuals who have adopted the project and
 | Datadog         |<img src="img/Adopters_logo/Datadog_logo.png" width="50" height="50">|Datadog uses in-toto to secure its agent integrations as they move through the company's CI/CD system. |
 | Lockheed Martin ||Lockheed Martin is one of the world's largest aerospace and defense companies, primarily known for manufacturing military aircraft like the F-35 Lightning II and F-22 Raptor fighter jets. |
 | OpenVEX         |<img src="img/Adopters_logo/OpenVEX_logo.png" width="50" height="50">|OpenVEX documents are designed to be self-sustaining, but the specification is designed to benefit from the in-toto attestation format completing VEX statements with data outside of the OpenVEX predicate. |
+| Palantir        | | Palantir uses in-toto to protect software integrity at enterprise scale with signed attestations, multi-ecosystem build support, offline-capable distribution, and layered verification. |
 | SLSA            |<img src="img/Adopters_logo/SLSA_logo.svg" width="50" height="50">|Supply chain Levels for Software Artifacts, or SLSA, is a framework that provides a series of requirements and controls. |
 | SolarWinds      |<img src="img/Adopters_logo/Solarwinds_Logo.png" width="50" height="50">|SolarWinds is an American company that provides information technology services and software to other companies and government agencies. |
 
diff --git a/palantir/README.md b/palantir/README.md
@@ -0,0 +1,14 @@
+# Palantir (Project Adopter)
+
+Palantir uses in-toto to protect the integrity of software from source to deployment across a large, heterogeneous environment.
+
+## Highlights
+- **Multi-ecosystem builds:** Custom tooling emits signed attestations across Gradle, Godel, containers, Helm, and frontend bundles.
+- **Verifiable provenance:** Release and build steps produce attestations binding source commits/tags to produced artifacts.
+- **Enterprise distribution:** Attestations are packaged with artifacts and stored in existing artifact repositories, supporting disconnected/offline installs.
+- **Layered verification:** Verification occurs at publication and again at install time to guard against tampering in transit.
+- **Operational rollout:** Gradual enforcement with exemptions and controlled overrides ensured continuity for mission-critical services.
+- **Spec alignment:** Migration to in-toto v1 (with SLSA build attestations) simplified verification and improved performance at scale (e.g., reducing P99 verification spikes from ~90 minutes to <15).
+
+## Reference
+“[How Palantir Mastered In-Toto](https://blog.palantir.com/how-palantir-mastered-in-toto-b8a7107371bb)” (Medium, Sep 2025).
