container-signing

What problem does it solve?

Securing container builds by enabling cryptographic signing and provenance to prevent tampered images from being deployed.

Core Features & Use Cases

• Cosign-based signing of container images with keyless verification and optional attestations.
• SLSA provenance generation to prove build provenance and reproducibility for container artifacts.
• Verification & governance: validate signatures and attestations in CI/CD, GHCR publishing, and runtime environments.

Quick Start

Set up Cosign signing and SLSA provenance for your container builds and GHCR publishing in CI/CD pipelines.