diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
index 4acb19eaa5c..39e3599f8ef 100644
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -4022,6 +4022,12 @@
     github = "fitzgibbon";
     githubId = 617048;
   };
+  fkautz = {
+    name = "Frederick F. Kautz IV";
+    email = "fkautz@alumni.cmu.edu";
+    github = "fkautz";
+    githubId = 135706;
+  };
   Flakebi = {
     email = "flakebi@t-online.de";
     github = "Flakebi";
diff --git a/pkgs/tools/security/witness/default.nix b/pkgs/tools/security/witness/default.nix
new file mode 100644
index 00000000000..571685afb40
--- /dev/null
+++ b/pkgs/tools/security/witness/default.nix
@@ -0,0 +1,25 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "witness";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "testifysec";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-NnDsiDUTCdjsHVA/mHnB8WRnvwFTzETkWUOd7IgMIWE=";
+  };
+
+  vendorSha256 = "sha256-zkLparWJsuqrhOQxxV37dBqt6fwpSinTO+paJkbl+sM=";
+
+  # We only want the witness binary, not the helper utilities for generating docs.
+  subPackages = [ "cmd/witness" ];
+
+  meta = with lib; {
+    description = "A pluggable framework for software supply chain security. Witness prevents tampering of build materials and verifies the integrity of the build process from source to target";
+    homepage = "https://github.com/testifysec/witness";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ fkautz ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index c06416105e0..65183745331 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -10750,6 +10750,8 @@ with pkgs;
     SDL = SDL_sixel;
   };
 
+  witness = callPackage ../tools/security/witness { };
+
   openconnect = openconnect_gnutls;
 
   openconnect_openssl = callPackage ../tools/networking/openconnect {