How does it handle CVE scanning?

It provides policy templates that evaluate scan attestations and can automatically block the deployment of container images that contain critical vulnerabilities.

What is Kyverno image validation?

It is the process of using Kyverno policies to verify that container images meet specific security criteria, such as coming from a trusted registry or having a valid signature, before they are allowed to run in a Kubernetes cluster.

Can I use this skill for signature verification?

Yes, the skill includes specific templates for implementing cryptographic signature verification to ensure that images have not been tampered with and come from trusted builders.

Is it safe to apply these security policies to an existing cluster?

The skill recommends a phased rollout approach—beginning with registry allowlists and digest requirements—to minimize disruption while gradually hardening your security posture.

Why should I use image digests instead of tags?

Image tags are mutable and can be updated to point to different images. Using SHA-256 digests ensures an immutable reference, meaning you always deploy the exact same version of the code.

Kyverno Image Security & Validation

Name: Kyverno Image Security & Validation
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

セキュリティとテスト

Secures Kubernetes clusters by enforcing container image validation policies including registry allowlists, signatures, and vulnerability gates.

概要

This skill provides a comprehensive framework for implementing software supply chain security in Kubernetes using Kyverno. It guides developers and platform engineers through a phased rollout of image validation controls, starting from basic registry restrictions and immutable image digests to advanced cryptographic signature verification and CVE-based deployment gates. By using these templates, teams can ensure that only trusted, verified, and scanned container images are permitted to run in production environments, significantly reducing the attack surface of the K8s infrastructure.

主な機能

Immutable image reference validation via SHA-256 digests
Vulnerability scanning gates to block images with critical CVEs
0 GitHub stars
Registry allowlist enforcement to block untrusted container sources
Cryptographic signature verification for supply chain integrity
Standardization templates for approved base images

ユースケース

Implementing a Zero Trust container supply chain for production K8s clusters
Preventing the deployment of vulnerable container images using scan attestations
Automating compliance requirements for image provenance and integrity

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills kyverno-image-validation-templates

For use in Claude.ai and ChatGPT

Download Skill

GitHub

概要