GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → sigstore → sigstore

sigstore / sigstore

Licence: Apache-2.0 license
Common go library shared across sigstore services and clients

Programming Languages

go
31211 projects - #10 most used programming language

Labels

securitysupply-chaincosignsigstore

Projects that are alternatives of or similar to sigstore

ocistow
Stream, Mutate and Sign Images with AWS Lambda and ECR
Stars: ✭ 17 (-94.04%)
Mutual labels:  cosign, sigstore
hlf1.4-supply-chain
Supply chain proof of concept in Hyperledger Fabric. Network with four companies and a specific chaincode exposed as rest API
Stars: ✭ 30 (-89.47%)
Mutual labels:  supply-chain
epcis
.NET 5 implementation of GS1's EPCIS repository version 1.2
Stars: ✭ 20 (-92.98%)
Mutual labels:  supply-chain
ochrona-cli
A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs
Stars: ✭ 46 (-83.86%)
Mutual labels:  supply-chain
pacman-bintrans
Experimental binary transparency for pacman with sigstore and rekor
Stars: ✭ 79 (-72.28%)
Mutual labels:  supply-chain
pip-audit
Audits Python environments and dependency trees for known vulnerabilities
Stars: ✭ 735 (+157.89%)
Mutual labels:  supply-chain
business-partner-agent
The Business Partner Agent is a SSI wallet and controller based on aries cloud agent python.
Stars: ✭ 52 (-81.75%)
Mutual labels:  supply-chain
cosign-installer
Cosign Github Action
Stars: ✭ 70 (-75.44%)
Mutual labels:  cosign
acclimate
Acclimate - an agent-based model for economic loss propagation
Stars: ✭ 17 (-94.04%)
Mutual labels:  supply-chain
cas
Codenotary Community Attestation Service (CAS) for notarization and authentication of digital artifacts
Stars: ✭ 137 (-51.93%)
Mutual labels:  supply-chain
scorecard-action
Official GitHub Action for OSSF Scorecards.
Stars: ✭ 33 (-88.42%)
Mutual labels:  supply-chain
specification
Software Bill of Material (SBOM) standard designed for use in application security contexts and supply chain component analysis
Stars: ✭ 129 (-54.74%)
Mutual labels:  supply-chain
CKS
Certified Kubernetes Security Specialist Exam Preparation Guide
Stars: ✭ 32 (-88.77%)
Mutual labels:  supply-chain
workshop-materials
Presented hardware reverse engineering workshops since 2019
Stars: ✭ 61 (-78.6%)
Mutual labels:  supply-chain
i-probably-didnt-backdoor-this
A practical experiment on supply-chain security using reproducible builds
Stars: ✭ 100 (-64.91%)
Mutual labels:  supply-chain
Software-Component-Verification-Standard
Software Component Verification Standard (SCVS)
Stars: ✭ 82 (-71.23%)
Mutual labels:  supply-chain
container-image-sign-and-verify-with-cosign-and-opa
This is just a proof-of-concept project that aims to sign and verify container images using cosign and OPA (Open Policy Agent)
Stars: ✭ 54 (-81.05%)
Mutual labels:  cosign
sigstore-rs
An experimental Rust crate for sigstore
Stars: ✭ 32 (-88.77%)
Mutual labels:  sigstore
argocd-interlace
Enabling Software Supply Chain Security Capabilities in ArgoCD
Stars: ✭ 43 (-84.91%)
Mutual labels:  sigstore

sigstore framework

Fuzzing Status CII Best Practices

sigstore/sigstore is a generic library / framework that is utilized by various other clients and projects including fulcio (webPKI), cosign (container and OCI signing tool) and tektoncd/chains (Supply Chain Security in Tekton Pipelines).

sigstore is a good candidate for anyone wanting to develop go based clients / systems and utilise existing go modules for common sigstore functionality.

This library currently provides:

  • A signing interface (support for ecdsa, ed25519, rsa, DSSE (in-toto))
  • OpenID Connect fulcio client code

The following KMS systems are available:

  • AWS Key Management Service
  • Azure Key Vault
  • HashiCorp Vault
  • Google Cloud Platform Key Management Service

For example code, look at the relevant test code for each main code file.

Fuzzing

The fuzzing tests are within https://github.com/sigstore/sigstore/tree/main/test/fuzz

Security

Should you discover any security issues, please refer to sigstores security process

For container signing, you want cosign

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].