Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.
Home Page: https://sigrun.dev
License: Apache License 2.0
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
![reviewpad[bot] avatar](https://avatars.githubusercontent.com/in/196990?v=4 "reviewpad[bot]")
Investigate popular methods of managing cli state
sigrun should be usable outside kubernetes
sign the sigrun's ledger file as well. this will ensure ledger file is also protected. Signing ledger file should be the very last step to be executed. Only after signing ledger file the keys should be deleted.
Currently validation controller only validates requests coming from pods for "Create" and "Update". However there can be other kubernetes objects which create container please review and update configuration accordingly.
Currently secrets are in the install.yaml file for everyone to see. For security purposes sigrun controller should automatically create tls cert and register itself as a admission controller on deployment.
Currently controller has admin permissions, please change this.
use RFC 3161 timestamping service to save the timestamp format of RFC3161 timestamp as well along with the existing timestamp you are saving in sigrun ledger.
We can use those timestamps as well on the validation side policies in kyverno & OPA.
https://blog.sigstore.dev/its-ten-o-clock-do-you-know-where-your-private-keys-are-5c869cf53234
{
"Organization": "devopstoday211",
"Maintainers": "something",
"sigrun-sign-id": "sdafasdf1213sas",
"PublicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0zl9+NowQv3ILEqzVdxsBapesA0G\nWcFWdFQsSU4648ZDo17kh8z7g59VbHg0ABNttsYKPQmd7JjYbUXfqp+SAA==\n-----END PUBLIC KEY-----\n",
"Images": [
"docker.io/shravanss/sigrun-example"
],
"Signatures": [
{
"timestamp": "",
"signed-by": "",
"sign-mode": "",
"commit-id": "",
"signature":"",
"signer": "[email protected]",
"cert": "",
"checksum": "",
"iam": "github.com/azure.com/gmail.com/linkedin.com/gitlab.com/bitbucket/atlassian"
},
{
}
]
}
Currently controller exposes a path through ingress maybe there is a better way to communicate with the controller.
Give a persistent configuration setting for the end user to set whether to use rekor server to upload transparency log or not (of course we still have to create sigrun ledger as usual, no change in that).
If the end user wants to ignore rekor log upload and only use our ledger file to upload to the custom git repo, this will be good user experience.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.