mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-15 23:44:56 +03:00
mukul975
42 lines
1.2 KiB
Markdown
42 lines
1.2 KiB
Markdown
# Workflow - Image Provenance with Cosign
|
|
|
|
## Phase 1: Setup
|
|
1. Install cosign CLI
|
|
2. Choose signing method: keyless (recommended) or key-based
|
|
3. If key-based: generate keys, store private key in KMS
|
|
4. Configure CI/CD OIDC token for keyless signing
|
|
|
|
## Phase 2: Build Pipeline Integration
|
|
1. Build container image
|
|
2. Push to registry (by digest)
|
|
3. Sign image with cosign (keyless or key-based)
|
|
4. Generate SBOM with syft
|
|
5. Attach SBOM as attestation
|
|
6. Attach vulnerability scan as attestation
|
|
|
|
## Phase 3: Admission Enforcement
|
|
1. Deploy policy-controller or Kyverno
|
|
2. Create ClusterImagePolicy requiring signatures
|
|
3. Test with signed image (should pass)
|
|
4. Test with unsigned image (should be denied)
|
|
5. Enable enforcement in production namespaces
|
|
|
|
## Phase 4: Verification
|
|
```bash
|
|
# Manual verification
|
|
cosign verify --certificate-identity=CI_IDENTITY \
|
|
--certificate-oidc-issuer=ISSUER \
|
|
IMAGE@DIGEST
|
|
|
|
# Verify SBOM attestation
|
|
cosign verify-attestation --type cyclonedx \
|
|
--certificate-identity=CI_IDENTITY \
|
|
--certificate-oidc-issuer=ISSUER \
|
|
IMAGE@DIGEST
|
|
```
|
|
|
|
## Phase 5: Monitoring
|
|
1. Check Rekor transparency log for audit trail
|
|
2. Monitor admission controller deny events
|
|
3. Alert on unsigned image deployment attempts
|