completedJuly 10, 2025

    GitHub Hosted Automated Governance

    In this webinar, we demonstrate how to integrate automated governance with a GitHub-hosted AutoGov toolset. This approach streamlines governance, automating compliance checks and security policies so developers can focus on coding without manual overhead or disruptions.

    Team Liatrio

    Automated Governance Made Simple: GitHub’s Built-In Attestation Capabilities

    Automated governance has traditionally required enterprises to set up and manage a complex ecosystem of tools. Now, organizations using GitHub can streamline governance without standing up an extensive infrastructure. In a recent demo, we showcased how GitHub’s native attestation features eliminate the need for self-hosted solutions, lowering the barrier to entry for teams looking to secure their software delivery pipelines.

    Simplifying Automated Governance

    Historically, automated governance required hosting multiple services like Sigstore, Fulcio, and Recore to generate and verify attestations. While effective, these setups required significant operational overhead.

    With GitHub’s built-in attestation capabilities, teams can now create and verify attestations using GitHub attest commands, eliminating the need for external tooling. This means security and compliance checks can be integrated directly into CI/CD pipelines without the complexity of managing a self-hosted governance framework. Instead of maintaining custom infrastructure, organizations can rely on GitHub’s native attestation framework to generate cryptographic proofs for key pipeline events such as builds, security scans, and releases.

    Bringing Governance Visibility to Backstage

    A key challenge with automated governance is making attestation results easily accessible. Without a centralized view, teams must manually search through repository pipelines to find compliance details. To solve this, we developed a Backstage plugin that integrates with GitHub’s attestation framework, providing a clear and structured way to view governance results.

    With the AutoGov plugin, teams can see compliance data directly in Backstage’s Code Insights section, making it easier to validate security policies at a glance. If an attestation fails, the system provides immediate feedback, highlighting whether an SBOM is missing, a build type is incorrect, or a required scan wasn’t performed. Instead of navigating through repositories, developers and security teams can quickly access attestation data in one place, reducing friction and improving compliance oversight.

    Lowering the Barrier to Adoption

    The goal of this initiative is to make automated governance as simple as possible. If an organization already uses GitHub and Backstage, adding governance controls requires minimal effort. By using GitHub’s attestation feature, teams can implement policy-driven security without needing to deploy additional tooling.

    This approach enables organizations to enforce security and compliance efficiently while keeping governance lightweight and developer-friendly. Instead of complex infrastructure setups, teams can focus on building, securing, and delivering software with confidence.

    Automate Governance Without Extra Overhead

    By leveraging GitHub’s native attestations and integrating results into Backstage, organizations can enforce compliance and security policies without slowing down development. Governance should enhance software delivery—not create bottlenecks.

    If your team is looking for a seamless way to implement automated governance, contact us today to explore how GitHub’s attestation features can simplify compliance and security in your CI/CD pipelines.