creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-image-provenance-verification-with-cosign/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

76 lines
1.9 KiB
Markdown
Raw Blame History

# API Reference: Implementing Image Provenance Verification with Cosign
## Cosign CLI Commands
```bash
# Sign image (keyless with OIDC)
cosign sign --yes IMAGE_REF
# Sign with key
cosign sign --key cosign.key IMAGE_REF
# Verify (keyless)
cosign verify --certificate-identity USER --certificate-oidc-issuer ISSUER IMAGE_REF
# Verify with key
cosign verify --key cosign.pub IMAGE_REF
# Attach attestation
cosign attest --predicate sbom.json --type spdxjson IMAGE_REF
# Verify attestation
cosign verify-attestation --type spdxjson IMAGE_REF
# Get signature location
cosign triangulate IMAGE_REF
```
## Sigstore Components
| Component | Purpose |
|-----------|---------|
| Cosign | Sign and verify images |
| Fulcio | Short-lived certificate authority |
| Rekor | Transparency log |
| policy-controller | Kubernetes admission |
## Attestation Types
| Type | Predicate | Use Case |
|------|-----------|----------|
| `custom` | Custom JSON | General |
| `spdxjson` | SPDX SBOM | Software bill of materials |
| `cyclonedxjson` | CycloneDX SBOM | Alt SBOM format |
| `slsaprovenance` | SLSA Provenance | Build provenance |
| `vuln` | Vulnerability scan | Scan results |
## Kyverno Policy (Kubernetes Admission)
```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-images
spec:
validationFailureAction: Enforce
rules:
- name: verify-cosign
match:
any:
- resources: { kinds: [Pod] }
verifyImages:
- imageReferences: ["ghcr.io/org/*"]
attestors:
- entries:
- keyless:
subject: "*@org.com"
issuer: "https://token.actions.githubusercontent.com"
```
### References
- Sigstore: https://sigstore.dev/
- Cosign Docs: https://docs.sigstore.dev/cosign/signing/overview/
- SLSA Framework: https://slsa.dev/
- Kyverno Image Verification: https://kyverno.io/docs/writing-policies/verify-images/
Reference in New Issue View Git Blame Copy Permalink