search

kube-tarian / sigrun

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.
https://sigrun.dev
Apache License 2.0
12 stars 3 forks source link
artifacts container-security containers containersecurity cosign fulcio gatekeeper kubernetes kubernetes-security kubernetessecurity opa open-policy-agent pods policy-as-code rekor signature signature-verification sigstore

readme

SigRun

Sign your artifacts source code or container images using Sigstore chain of tools & Known Container Image Build tools, Save the Signatures you want to use within your Infra, and Validate & Control the deployments to allow only the known Signatures. Shift-left your supply chain security!

What's with the Name (in case if you are curious)? You can think of multiple ways. It has a flexible interpretation, like Signatures for Runtime or Runtime Signatures or Sign Software for Runtime use. Whatever you want to imagine! :smiley: #

Install

Dependencies

Before installing the application the following dependencies need to be installed:

  1. Kubernetes command line application kubectl
  2. Golang version greater than 1.16
go install cmd/sigrun/sigrun.go

Usage

sigrun --help

Please refer to this for information about basic flow.

Purpose:

To make it easy to use SigStore chain of tools. Make the Supply Chain Security for Software adoption easy. #

Usage feasibility:

Local, CI/CD pipelines, K8s Clusters, VMs. #

Features:

#

Contributing

See docs/contributing.md

Code of Conduct

See CODE_OF_CONDUCT.md

CodeOwners & Maintainers list

See MAINTAINERS.md