Keyless Git signing using Sigstore

Common go library shared across sigstore services and clients

An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster

An experimental Rust crate for sigstore

Supply chain security for ML

sigstore the hard way!

Enabling Software Supply Chain Security Capabilities in ArgoCD

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

Plugin for Helm to integrate the sigstore ecosystem

A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.

Example goreleaser + github actions config with keyless signing, SBOM generation, and attestations

Go library for Sigstore signing and verification

🔍 Rekor transparency log monitoring and alerting

Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect

Transparenty Immutable Container Image Tags

Stream, Mutate and Sign Images with AWS Lambda and ECR

Go library for Sigstore signing and verification

Software signing just got easier

Proof of concept that uses cosign and GitHub's in built OIDC for actions to sign container images, providing a proof that what is in the registry came from your GitHub action.

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.