creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-image-provenance-verification-with-cosign/references/workflows.md
T

1.2 KiB
Raw Blame History

Workflow - Image Provenance with Cosign

Phase 1: Setup

  1. Install cosign CLI
  2. Choose signing method: keyless (recommended) or key-based
  3. If key-based: generate keys, store private key in KMS
  4. Configure CI/CD OIDC token for keyless signing

Phase 2: Build Pipeline Integration

  1. Build container image
  2. Push to registry (by digest)
  3. Sign image with cosign (keyless or key-based)
  4. Generate SBOM with syft
  5. Attach SBOM as attestation
  6. Attach vulnerability scan as attestation

Phase 3: Admission Enforcement

  1. Deploy policy-controller or Kyverno
  2. Create ClusterImagePolicy requiring signatures
  3. Test with signed image (should pass)
  4. Test with unsigned image (should be denied)
  5. Enable enforcement in production namespaces

Phase 4: Verification

# Manual verification
cosign verify --certificate-identity=CI_IDENTITY \
  --certificate-oidc-issuer=ISSUER \
  IMAGE@DIGEST

# Verify SBOM attestation
cosign verify-attestation --type cyclonedx \
  --certificate-identity=CI_IDENTITY \
  --certificate-oidc-issuer=ISSUER \
  IMAGE@DIGEST

Phase 5: Monitoring

  1. Check Rekor transparency log for audit trail
  2. Monitor admission controller deny events
  3. Alert on unsigned image deployment attempts
Reference in New Issue View Git Blame Copy Permalink