A demonstration of how GoReleaser can help us to make software supply chain more secure by using bunch of tools such as cosign, syft, grype, slsa-provenance

Example of GitHub Actions, goreleaser and cosign to release a Go based CLI program.

A Multi-Featured Light Kubernetes command-line tool

Showcase for OCI registres [MIRROR]

Supply Chain Security does not need to be difficult

My collection of the Daggerverse

A Sigstore KMS plugin for Alibaba Cloud KMS

CI/CD pipeline demo for a Golang web app using Docker, GitHub Actions, Trivy, Cosign & Slack integration.

Example signing with cosign using --key=env://KEY

(landing area for upstream contributions and carried patches)

Demo to showcase how to build a golang application using ko. Sign and push the image to the container registry using https://sigstore.dev. Apply policy controller on Kubernetes to allow only signed images.

Kubernetes Validation Admission Controller to verify Cosign signatures

Kubernetes admission webhook that uses cosign tools Container Sign Verify

Stream, Mutate and Sign Images with AWS Lambda and ECR

Docker Registry Authentication Made Simple

Sample Go application project with supply chain security workflows conforms to the SLSA Build Level 3 specification

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.

Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.

Example goreleaser + github actions config with keyless signing, SBOM generation, and attestations

Integrates Spiffe and Vault to have secretless authentication