There are 4 repositories under sigstore topic.
An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster
Supply chain security for ML
Enabling Software Supply Chain Security Capabilities in ArgoCD
🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures
Example goreleaser + github actions config with keyless signing and SBOM generation
A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.
🔍 Rekor transparency log monitoring and alerting
Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect
Transparenty Immutable Container Image Tags
Stream, Mutate and Sign Images with AWS Lambda and ECR
Software signing just got easier
Proof of concept that uses cosign and GitHub's in built OIDC for actions to sign container images, providing a proof that what is in the registry came from your GitHub action.
Project that demonstrates the implementation of SLSA L3 with Github Workflows and Sigstore. Bonus: binary authorization with Kyverno.
Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.
Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.
Samples showing how to secure the supply chain for Java applications.
Example code repo for blog post https://chainguard.dev/posts/2022-01-07-cosign-aws-codepipeline
This GitHub Action use kaniko and Amazon Linux container with nitro-cli to build a reproducible AWS Nitro Enclaves EIF file and its information.
Java PoC code to implement sigstore operations equivalent to "cosign sign-blob"
Verify Sigstore Gitsign commit signatures
Supply Chain Security does not need to be difficult
Tools & services used to help in the development flow of sigstore
An Ansible collection for using Sigstore to verify file signatures
A guide for setting up Sigstore with Keycloak as an identity provider
Kubernetes admission webhook that uses cosign tools Container Sign Verify