The Airgap Native Packager Manager for Kubernetes

Remove all the resources from an AWS account

Common go library shared across sigstore services and clients

An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster

Import Helm Charts to OCI registries, optionally with vulnerability patching

Cosign Github Action

sigstore the hard way!

Integrates Spiffe and Vault to have secretless authentication

Compage - Low-Code Framework to develop Rest API, gRPC, dRPC, GraphQL, WebAssembly, microservices, FaaS, Temporal workloads, IoT and edge services, K8s controllers, K8s CRDs, K8s custom APIs, K8s Operators, K8s hooks, etc. with minimal coding and by automatically applying best practice methods like software supply chain security measures, SBOM, …

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

This is just a proof-of-concept project that aims to sign and verify container images using cosign and OPA (Open Policy Agent)

Veritensor is the Zero-Trust security open source tool for the AI Supply Chain. It replace naive model scanning with deep AST analysis and cryptographic signing. From CI/CD to production, Veritensor ensures only verified, safe, and compliant models make it to runtime. Stop guessing, start proving.

Example goreleaser + github actions config with keyless signing, SBOM generation, and attestations

Projeto final do curso Programa Intensivo em Containers e Kubernetes.

Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect

Stream, Mutate and Sign Images with AWS Lambda and ECR

Container Image Signing & Verifying on Ethereum [Testnet]

Proof of concept that uses cosign and GitHub's in built OIDC for actions to sign container images, providing a proof that what is in the registry came from your GitHub action.

My personal stop-gap mirror of OCI Helm Charts.

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.