cosign

DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/

An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster

Common go library shared across sigstore services and clients

sigstore the hard way!

Cosign Github Action

This is just a proof-of-concept project that aims to sign and verify container images using cosign and OPA (Open Policy Agent)

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

Integrates Spiffe and Vault to have secretless authentication

Example goreleaser + github actions config with keyless signing and SBOM generation

Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect

Stream, Mutate and Sign Images with AWS Lambda and ECR

Container Image Signing & Verifying on Ethereum [Testnet]

Proof of concept that uses cosign and GitHub's in built OIDC for actions to sign container images, providing a proof that what is in the registry came from your GitHub action.

Docker Registry Authentication Made Simple

Example code repo for blog post https://chainguard.dev/posts/2022-01-07-cosign-aws-codepipeline

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.

Sigstore Homebrew Tap

A demonstration of how GoReleaser can help us to make software supply chain more secure by using bunch of tools such as cosign, syft, grype, slsa-provenance

Supply Chain Security does not need to be difficult

A demo repository that demonstrates you can use cosign to verify the integrity of the Helm charts stored as OCI Artifacts reconciled with Flux