Securing CI/CD Images with Cosign and OPA

This page summarizes the projects mentioned and recommended in the original post on dev.to
cloud-native Opa zero-trust Policy Cncf

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • OPA (Open Policy Agent)

    Open Policy Agent (OPA) is an open source, general-purpose policy engine.

    • In essence, container image signing involves adding a digital stamp to an image, affirming its authenticity. This digital assurance guarantees that the image is unchanged from creation to deployment. In this blog, I'll explain how to sign container images for Kubernetes using Cosign and the Open Policy Agent. I will also share a tutorial that demonstrates these concepts.

  • cosign

    Code signing and transparency for containers and binaries

    • Cosign: In this context, Cosign from the Sigstore project offers a compelling solution. Its simplicity, registry compatibility, and effective link between images and their signatures provide a user-friendly and versatile approach. The integration of Fulcio for certificate management and Rekor for secure logging enhances Cosign's appeal, making it particularly suitable for modern development environments that prioritize security and agility.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • grafeas

    Artifact Metadata API

    • Grafeas: While Grafeas offers a comprehensive solution for the software development lifecycle, it is not designed for public or open-source software (OSS) image verification. It's better suited for first-party integration, particularly with Google Kubernetes Engine (GKE).

  • notation

    A CLI tool to sign and verify artifacts (by notaryproject)

    • Notary v2: The evolution to Notary v2 brought improvements in signature portability and integration with third-party key management solutions. However, it does not provide a certificate authority, leaving public key discovery for open-source image verification as an unresolved issue.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • OPA (Open Policy Agent) VS topaz - a user suggested alternative

    2 projects | 25 Jul 2023

  • open-policy-agent/gatekeeper-library: The OPA Gatekeeper policy library.

    1 project | /r/devopsish | 8 Mar 2023

  • Cloud Native Applications - Part 2: Security

    3 projects | dev.to | 28 Jan 2023

  • Kubernetes Hardening Guidance [pdf]

    2 projects | news.ycombinator.com | 5 Oct 2022

  • Security scanning of k8s manifest files vs running cluster

    1 project | /r/kubernetes | 28 Sep 2022