Anthropic-Cybersecurity-Skills/skills/implementing-image-provenance-verification-with-cosign/references/api-reference.md

API Reference: Implementing Image Provenance Verification with Cosign

Cosign CLI Commands

# Sign image (keyless with OIDC)
cosign sign --yes IMAGE_REF

# Sign with key
cosign sign --key cosign.key IMAGE_REF

# Verify (keyless)
cosign verify --certificate-identity USER --certificate-oidc-issuer ISSUER IMAGE_REF

# Verify with key
cosign verify --key cosign.pub IMAGE_REF

# Attach attestation
cosign attest --predicate sbom.json --type spdxjson IMAGE_REF

# Verify attestation
cosign verify-attestation --type spdxjson IMAGE_REF

# Get signature location
cosign triangulate IMAGE_REF

Sigstore Components

Component	Purpose
Cosign	Sign and verify images
Fulcio	Short-lived certificate authority
Rekor	Transparency log
policy-controller	Kubernetes admission

Attestation Types

Type	Predicate	Use Case
custom	Custom JSON	General
spdxjson	SPDX SBOM	Software bill of materials
cyclonedxjson	CycloneDX SBOM	Alt SBOM format
slsaprovenance	SLSA Provenance	Build provenance
vuln	Vulnerability scan	Scan results

Kyverno Policy (Kubernetes Admission)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-images
spec:
  validationFailureAction: Enforce
  rules:
    - name: verify-cosign
      match:
        any:
          - resources: { kinds: [Pod] }
      verifyImages:
        - imageReferences: ["ghcr.io/org/*"]
          attestors:
            - entries:
                - keyless:
                    subject: "*@org.com"
                    issuer: "https://token.actions.githubusercontent.com"

References

• Sigstore: https://sigstore.dev/
• Cosign Docs: https://docs.sigstore.dev/cosign/signing/overview/
• SLSA Framework: https://slsa.dev/
• Kyverno Image Verification: https://kyverno.io/docs/writing-policies/verify-images/