gittuf's policy can be rolled back to prior valid versions
An attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys.
Advisories for Golang/Github.com/Gittuf/Gittuf package
2026