Skill UI

This skill guides implementing robust code signing for software artifacts (binaries, packages, containers). It ensures integrity and authenticity throughout the entire software supply chain. Learn to use traditional methods like GPG and modern, keyless approaches like Sigstore (cosign) to establish trust chains, verify provenance, and meet compliance standards (e.g., SLSA).

This guide details implementing robust container image provenance verification using Cosign, a Sigstore tool. It covers key-based and keyless (OIDC) signing methods, enabling secure supply chain practices. Users can sign images, attach critical attestations (such as SBOMs and vulnerability scans), and enforce verification in CI/CD pipelines and Kubernetes environments to ensure high integrity and trust.

This skill guides the implementation of comprehensive security controls for container registries. It details workflows for vulnerability scanning using Trivy and Grype, generating Software Bill of Materials (SBOMs) with Syft, and enforcing image authenticity using Cosign and Sigstore. It is essential for building robust CI/CD pipelines and preventing supply chain attacks by ensuring only scanned, signed, and compliant images are deployed.

Harbor is an open-source container registry designed for robust security and compliance. This guide details the comprehensive workflow for securing your container ecosystem by implementing advanced features such as vulnerability scanning (Trivy), image signing (Notary/Cosign), Role-Based Access Control (RBAC), and content trust policies. Learn how to enforce image provenance and maintain strict access control in Kubernetes environments.

This guide details how to implement secure, keyless software signing using the Sigstore ecosystem components (Cosign, Fulcio, Rekor). It establishes cryptographic provenance for container images and binaries by binding identity via OIDC, ensuring verifiable integrity and tamper-proofing throughout the CI/CD supply chain.