mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
+75
@@ -0,0 +1,75 @@
|
||||
# API Reference: Implementing Image Provenance Verification with Cosign
|
||||
|
||||
## Cosign CLI Commands
|
||||
|
||||
```bash
|
||||
# Sign image (keyless with OIDC)
|
||||
cosign sign --yes IMAGE_REF
|
||||
|
||||
# Sign with key
|
||||
cosign sign --key cosign.key IMAGE_REF
|
||||
|
||||
# Verify (keyless)
|
||||
cosign verify --certificate-identity USER --certificate-oidc-issuer ISSUER IMAGE_REF
|
||||
|
||||
# Verify with key
|
||||
cosign verify --key cosign.pub IMAGE_REF
|
||||
|
||||
# Attach attestation
|
||||
cosign attest --predicate sbom.json --type spdxjson IMAGE_REF
|
||||
|
||||
# Verify attestation
|
||||
cosign verify-attestation --type spdxjson IMAGE_REF
|
||||
|
||||
# Get signature location
|
||||
cosign triangulate IMAGE_REF
|
||||
```
|
||||
|
||||
## Sigstore Components
|
||||
|
||||
| Component | Purpose |
|
||||
|-----------|---------|
|
||||
| Cosign | Sign and verify images |
|
||||
| Fulcio | Short-lived certificate authority |
|
||||
| Rekor | Transparency log |
|
||||
| policy-controller | Kubernetes admission |
|
||||
|
||||
## Attestation Types
|
||||
|
||||
| Type | Predicate | Use Case |
|
||||
|------|-----------|----------|
|
||||
| `custom` | Custom JSON | General |
|
||||
| `spdxjson` | SPDX SBOM | Software bill of materials |
|
||||
| `cyclonedxjson` | CycloneDX SBOM | Alt SBOM format |
|
||||
| `slsaprovenance` | SLSA Provenance | Build provenance |
|
||||
| `vuln` | Vulnerability scan | Scan results |
|
||||
|
||||
## Kyverno Policy (Kubernetes Admission)
|
||||
|
||||
```yaml
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: verify-images
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
rules:
|
||||
- name: verify-cosign
|
||||
match:
|
||||
any:
|
||||
- resources: { kinds: [Pod] }
|
||||
verifyImages:
|
||||
- imageReferences: ["ghcr.io/org/*"]
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
subject: "*@org.com"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
- Sigstore: https://sigstore.dev/
|
||||
- Cosign Docs: https://docs.sigstore.dev/cosign/signing/overview/
|
||||
- SLSA Framework: https://slsa.dev/
|
||||
- Kyverno Image Verification: https://kyverno.io/docs/writing-policies/verify-images/
|
||||
Reference in New Issue
Block a user