I'm concerned about potential supply chain leaks or attacks when downloading container images from external registries. It's essential for me to ensure the integrity and provenance of these images. I'm exploring options for using cryptographic signing methods, like Sigstore or Cosign, to automatically verify images during builds or deployments. Has anyone set up checks like this in their CI/CD pipelines to enforce image trust?
3 Answers
Yeah, Cosign combined with Sigstore makes it pretty simple. Once you get it configured, every build will automatically fail if images are unsigned. It's a great way to keep things secure!
Check out Minimus! Their images are signed and fit nicely into CI checks. We added a step in our pipeline recently, and it really helps enforce trust across our system.
Using Cosign or Sigstore is a solid approach! You can add a CI step to check for signed images and fail the build if they aren't signed. This really tightens up your supply chain and reduces risk.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures