Skip to content

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.

License

Notifications You must be signed in to change notification settings

kube-tarian/sigrun

Folders and files

NameName
Last commit message
Last commit date
Aug 23, 2022
Jan 22, 2022
Jan 21, 2022
Dec 30, 2021
Jan 22, 2022
Jan 22, 2022
Sep 13, 2021
Aug 1, 2022
Jan 11, 2022
Jan 2, 2022
Aug 12, 2021
Jul 4, 2021
Jan 2, 2022
Nov 1, 2022
Jul 30, 2023
Jan 21, 2022
Jan 21, 2022
Jan 22, 2022
Apr 25, 2023
Jan 22, 2022
Jan 22, 2022
Jul 16, 2021
Nov 1, 2022

SigRun

Sign your artifacts source code or container images using Sigstore chain of tools & Known Container Image Build tools, Save the Signatures you want to use within your Infra, and Validate & Control the deployments to allow only the known Signatures. Shift-left your supply chain security!

What's with the Name (in case if you are curious)? You can think of multiple ways. It has a flexible interpretation, like Signatures for Runtime or Runtime Signatures or Sign Software for Runtime use. Whatever you want to imagine! 😃

Install

Dependencies

Before installing the application the following dependencies need to be installed:

  1. Kubernetes command line application kubectl
  2. Golang version greater than 1.16
go install cmd/sigrun/sigrun.go

Usage

sigrun --help

Please refer to this for information about basic flow.

Purpose:

To make it easy to use SigStore chain of tools. Make the Supply Chain Security for Software adoption easy.

Usage feasibility:

Local, CI/CD pipelines, K8s Clusters, VMs.

Features:

  • Using Sigstore tools in your Infra for Air-Gap offline usage via your CI/CD Pipeline
  • Sign your artifacts, container images, files, packages, etc. automatically along with their sha256 digest creation & saving into ledger
  • Private & Public key-pair generator (Cosign, GPG, and more in future) for signing
  • Keyless signing
  • Save your artifacts signatures to certain ledger storage
  • Save your container image signatures to certain ledger storage
  • Validate Signatures using Storage location of Signatures
  • Control deployments to allow only known Signatures using our Custom Admission Controller or OPA/Kyverno/Gatekeeper
  • Vault Integration to save Keys if you prefer to save private key(s)
  • CI/CD Tools integration
  • Integration with tools like Buildpacks, Buildah, Source2Image, Kaniko, Skaffold, Docker Build, Podman, etc.
  • OIDC/Dex embeded for Login
  • Vulnerability Scanning of your container images
  • Integrate with Non-Profit SigStore public services/tools
  • Integrate with Syft for Software Bill of Materials (SBOM) [github.com/anchore/syft]
  • Integrate with Package Hunter by Gitlab [gitlab.com/gitlab-org/security-products/package-hunter]

Contributing

See docs/contributing.md

Code of Conduct

See CODE_OF_CONDUCT.md

CodeOwners & Maintainers list

See MAINTAINERS.md

About

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published