Giter Site home page Giter Site logo

ducthinh993 / sigrun Goto Github PK

View Code? Open in Web Editor NEW

This project forked from kube-tarian/sigrun

0.0 0.0 0.0 599 KB

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.

Home Page: https://sigrun.dev

License: Apache License 2.0

Shell 2.20% Go 96.56% Standard ML 0.17% Dockerfile 1.07%

sigrun's Introduction

SigRun

Sign your artifacts source code or container images using Sigstore chain of tools & Known Container Image Build tools, Save the Signatures you want to use within your Infra, and Validate & Control the deployments to allow only the known Signatures. Shift-left your supply chain security!

What's with the Name (in case if you are curious)? You can think of multiple ways. It has a flexible interpretation, like Signatures for Runtime or Runtime Signatures or Sign Software for Runtime use. Whatever you want to imagine! ๐Ÿ˜ƒ

Install

Dependencies

Before installing the application the following dependencies need to be installed:

  1. Kubernetes command line application kubectl
  2. Golang version greater than 1.16
go install cmd/sigrun/sigrun.go

Usage

sigrun --help

Please refer to this for information about basic flow.

Purpose:

To make it easy to use SigStore chain of tools. Make the Supply Chain Security for Software adoption easy.

Usage feasibility:

Local, CI/CD pipelines, K8s Clusters, VMs.

Features:

  • Using Sigstore tools in your Infra for Air-Gap offline usage via your CI/CD Pipeline
  • Sign your artifacts, container images, files, packages, etc. automatically along with their sha256 digest creation & saving into ledger
  • Private & Public key-pair generator (Cosign, GPG, and more in future) for signing
  • Keyless signing
  • Save your artifacts signatures to certain ledger storage
  • Save your container image signatures to certain ledger storage
  • Validate Signatures using Storage location of Signatures
  • Control deployments to allow only known Signatures using our Custom Admission Controller or OPA/Kyverno/Gatekeeper
  • Vault Integration to save Keys if you prefer to save private key(s)
  • CI/CD Tools integration
  • Integration with tools like Buildpacks, Buildah, Source2Image, Kaniko, Skaffold, Docker Build, Podman, etc.
  • OIDC/Dex embeded for Login
  • Vulnerability Scanning of your container images
  • Integrate with Non-Profit SigStore public services/tools
  • Integrate with Syft for Software Bill of Materials (SBOM) [github.com/anchore/syft]
  • Integrate with Package Hunter by Gitlab [gitlab.com/gitlab-org/security-products/package-hunter]

Contributing

See docs/contributing.md

Code of Conduct

See CODE_OF_CONDUCT.md

CodeOwners & Maintainers list

See MAINTAINERS.md

sigrun's People

Contributors

deepsourcebot avatar devopstoday11 avatar mend-bolt-for-github[bot] avatar shravanshetty1 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.