Keyless Git signing using Sigstore

Common go library shared across sigstore services and clients

An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster

Enabling Software Supply Chain Security Capabilities in ArgoCD

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.

Plugin for Helm to integrate the sigstore ecosystem

Go library for Sigstore signing and verification

Example goreleaser + github actions config with keyless signing, SBOM generation, and attestations

🔍 Rekor transparency log monitoring and alerting

Transparenty Immutable Container Image Tags

Stream, Mutate and Sign Images with AWS Lambda and ECR

Go library for Sigstore signing and verification

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.

Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.

Pulumi GitHub Sync for sigstore

Tools & services used to help in the development flow of sigstore

Supply Chain Security does not need to be difficult

Sign and package attestations in sigstore bundles

🔴🟡🟢 The Amazing Multipurpose Policy Engine (and L)