Does this skill require GitHub Container Registry (GHCR)?

While the implementation is optimized for GHCR due to its native support for GitHub attestations, the Cosign signing and OCI labeling logic can be adapted for other registries like Docker Hub or Amazon ECR.

Why is SLSA provenance important for containers?

SLSA (Supply-chain Levels for Software Artifacts) provenance provides verifiable proof of how an artifact was built. It ensures that the container image you are deploying was actually built by your trusted CI/CD pipeline and hasn't been tampered with.

What is keyless signing in this context?

Keyless signing uses GitHub's OIDC identity provider to sign images without the need to manage or store long-lived private keys. The signature is cryptographically tied to the specific GitHub Actions workflow, repository, and commit SHA.

What permissions does the GitHub Actions workflow need?

The workflow requires 'id-token: write' to obtain the OIDC token for keyless signing and 'attestations: write' to create and upload the build provenance records.

Container Signing & Attestation

Name: Container Signing & Attestation
Author: cameronsjo

bycameronsjo

0•

Deployment & DevOps

Implements cryptographic signing and SLSA build provenance for Docker images using Sigstore Cosign and GitHub Actions.

This skill automates the implementation of supply chain security for containerized applications by providing a standardized framework for image signing and attestation. It guides developers through adding OCI-compliant metadata to Dockerfiles and configuring GitHub Actions for keyless signing via Sigstore Cosign. By integrating SLSA (Supply-chain Levels for Software Artifacts) provenance, the skill enables teams to cryptographically prove the origin and integrity of their container images, which is essential for achieving high-level security compliance and protecting against supply chain attacks in production environments.

Key Features

010 GitHub stars

02SLSA build provenance attestation generation for container artifacts

03Automated keyless signing using GitHub OIDC and Sigstore Cosign

04Standardized verification commands for signature and provenance audits

05Pre-configured OCI-compliant Dockerfile labeling patterns

06Production-ready GitHub Actions workflow for GHCR publishing

Use Cases

01Configuring secure CI/CD pipelines for GitHub Container Registry (GHCR)

02Securing container supply chains for production deployments

03Meeting SLSA compliance requirements for enterprise software projects

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add cameronsjo/dev-toolkit container-signing

For use in Claude.ai and ChatGPT

Download Skill