Safeguarding data integrity across any data supply chain
Makoto brings SLSA-style assurance levels to data pipelines, producing cryptographically signed DBOMs (Data Bills of Materials) to prove chain of custody.
Understanding Makoto Levels
These pages provide an overview of Makoto Levels, how they protect against common data supply chain attacks, and common use cases. If you're new to Makoto or data supply chain security, start here.
| Page | Description |
|---|---|
| About Makoto Levels | An introductory guide to the Makoto specification |
| Data supply chain threats | An introduction to data supply chain threats |
| Use cases | Common use cases for data attestation |
| Guiding principles | The core principles behind Makoto's design |
| Privacy techniques | Techniques for privacy-preserving attestations |
Provenance Levels
These pages describe the provenance level requirements. If you want to achieve a particular Makoto level (L1, L2, or L3), these are the requirements you'll need to meet.
| Page | Description |
|---|---|
| Provenance levels overview | Overview of L1, L2, and L3 provenance levels |
| Producing DBOMs | How to produce DBOMs for your data pipelines |
| Verifying DBOMs | How to verify Data Bills of Materials |
Attestation Formats
| Page | Description |
|---|---|
| Origin attestation | Attestation format for data origin/provenance |
| Transform attestation | Attestation format for data transformations |
| Stream window attestation | Attestation format for high-throughput streams |
Sample Attestation Pipeline
A typical data pipeline with Makoto attestations at each stage. Each stage generates an attestation that can be independently verified, ultimately producing a DBOM.
Example Origin Attestation
{
"_type": "https://makoto.dev/origin/v0.1",
"subject": [{
"name": "sensor-readings-2025-01-15.parquet",
"digest": { "sha256": "a1b2c3d4..." }
}],
"predicate": {
"source": {
"type": "iot-device",
"id": "sensor-cluster-west-01"
},
"timestamp": "2025-01-15T10:30:00Z",
"metadata": {
"format": "parquet",
"records": 1250000
}
}
}
Makoto Levels
Makoto defines three levels with increasing guarantees. Start with Level 1 for basic provenance tracking, then progressively enhance security based on your requirements.
Provenance Exists
Documentation that data provenance exists. Enables detection of tampering through content hashing.
Authentic Provenance
Cryptographically signed attestations with identity binding. Prevents attestation forgery.
Unforgeable Provenance
Hardware-backed attestations using TEE or HSM. Provides non-repudiation even if systems are compromised.
Relationship to SLSA
Makoto brings SLSA-style assurance levels to data supply chains. While SLSA focuses on software build provenance, Makoto addresses the unique challenges of data pipelines.
| Aspect | SLSA | Makoto |
|---|---|---|
| Focus | Software artifacts | Data artifacts |
| Provenance | Build provenance | Origin + Transform provenance |
| Scale | Individual builds | Batch files + high-throughput streams |
| Privacy | Public metadata | Privacy-preserving options |
| Output | SBOM | DBOM (Data Bill of Materials) |
| Format | in-toto/DSSE | in-toto/DSSE (compatible) |
Just as SLSA defines levels for build provenance, Makoto defines levels for data provenance. Both frameworks share the same attestation envelope format (DSSE) and progressive level approach, making them complementary for organizations that need to secure both software and data supply chains.
Get Started with Makoto
Ready to bring data integrity to your pipelines? Start with Level 1 attestations and progressively enhance security as your needs grow.