Skill UI

Use Sigstore Cosign to sign, attest, and verify container images with keyless OIDC signing, SBOM/vulnerability attestations, and CI/CD admission enforcement for supply chain provenance security.

Implements container build integrity by orchestrating in-toto attestations across CI/CD steps, ensuring signed provenance, SBOMs, and policy-compliant deployment verification in Kubernetes environments.

Validates Helm chart provenance, scans rendered templates for misconfigurations, enforces pod security contexts, and hardens RBAC/secrets workflows so Kubernetes deployments stay compliant.

Implements Cosign keyless signing with Fulcio certificates, Rekor log audit, and OIDC identity binding so container images and artifacts gain verifiable provenance within CI/CD pipelines.

This skill provides robust mechanisms to verify the integrity of AI agent plugins, tools, and dependencies. It generates deterministic SHA-256 manifests (INTEGRITY.json) for all components, allowing users to detect unauthorized modifications, track provenance, and ensure that deployed assets match their published versions. Use this during CI/CD pipelines, code review, and pre-production promotion to secure the entire agent ecosystem.