Sign your artifacts source code or container images using Sigstore chain of tools & Known Container Image Build tools, Save the Signatures you want to use within your Infra, and Validate & Control the deployments to allow only the known Signatures. Shift-left your supply chain security!
What's with the Name (in case if you are curious)? You can think of multiple ways. It has a flexible interpretation, like Signatures for Runtime or Runtime Signatures or Sign Software for Runtime use. Whatever you want to imagine! 😃
Before installing the application the following dependencies need to be installed:
- Kubernetes command line application
kubectl
- Golang version greater than 1.16
go install cmd/sigrun/sigrun.go
sigrun --help
Please refer to this for information about basic flow.
To make it easy to use SigStore chain of tools. Make the Supply Chain Security for Software adoption easy.
Local, CI/CD pipelines, K8s Clusters, VMs.
- Using Sigstore tools in your Infra for Air-Gap offline usage via your CI/CD Pipeline
- Sign your artifacts, container images, files, packages, etc. automatically along with their sha256 digest creation & saving into ledger
- Private & Public key-pair generator (Cosign, GPG, and more in future) for signing
- Keyless signing
- Save your artifacts signatures to certain ledger storage
- Save your container image signatures to certain ledger storage
- Validate Signatures using Storage location of Signatures
- Control deployments to allow only known Signatures using our Custom Admission Controller or OPA/Kyverno/Gatekeeper
- Vault Integration to save Keys if you prefer to save private key(s)
- CI/CD Tools integration
- Integration with tools like Buildpacks, Buildah, Source2Image, Kaniko, Skaffold, Docker Build, Podman, etc.
- OIDC/Dex embeded for Login
- Vulnerability Scanning of your container images
- Integrate with Non-Profit SigStore public services/tools
- Integrate with Syft for Software Bill of Materials (SBOM) [github.com/anchore/syft]
- Integrate with Package Hunter by Gitlab [gitlab.com/gitlab-org/security-products/package-hunter]
See MAINTAINERS.md