eliferjunior/cosign
.claude/skills/ts-cosign/SKILL.md
Expert guidance for Cosign, the Sigstore tool for signing, verifying, and attaching metadata to container images and other OCI artifacts. Helps developers implement supply chain security by signing images in CI/CD, verifying signatures before deployment, and attaching SBOMs and vulnerability scan results as attestations.
tools
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add eliferjunior/Claude cosignInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 1:28 AM8.0s1 file scanned
SKILL.md
- name:
- cosign
- description:
- Expert guidance for Cosign, the Sigstore tool for signing, verifying, and attaching metadata to container images and other OCI artifacts. Helps developers implement supply chain security by signing images in CI/CD, verifying signatures before deployment, and attaching SBOMs and vulnerability scan results as attestations.
- license:
- Apache-2.0
- compatibility:
- No special requirements
- author:
- terminal-skills
- version:
- 1.0.0
- category:
- devops
Cosign — Container Image Signing and Verification
Overview
Cosign, the Sigstore tool for signing, verifying, and attaching metadata to container images and other OCI artifacts. Helps developers implement supply chain security by signing images in CI/CD, verifying signatures before deployment, and attaching SBOMs and vulnerability scan results as attestations.
Instructions
Sign and Verify Images
# Install
brew install cosign
# Generate a keypair
cosign generate-key-pair
# Creates cosign.key (private) and cosign.pub (public)
# Sign an image after building
docker build -t myregistry.com/myapp:v1.2.3 .
docker push myregistry.com/myapp:v1.2.3
cosign sign --key cosign.key myregistry.com/myapp:v1.2.3
# Verify before deploying
cosign verify --key cosign.pub myregistry.com/myapp:v1.2.3
# Keyless signing with Sigstore (no key management!)
# Uses OIDC identity (GitHub Actions, Google, etc.)
cosign sign myregistry.com/myapp:v1.2.3
# Opens browser for OIDC login, signs with ephemeral key,
# records signature in Rekor transparency log
# Keyless verification
cosign verify \
[email protected] \
--certificate-oidc-issuer=https://accounts.google.com \
myregistry.com/myapp:v1.2.3
CI/CD Integration
# .github/workflows/build.yml — Sign images in CI
jobs:
build-and-sign:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # Required for keyless signing
packages: write
steps:
- uses: actions/checkout@v4
- name: Build and push
run: |
docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .
docker push ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign image (keyless)
run: |
cosign sign \
--yes \
ghcr.io/${{ github.repository }}:${{ github.sha }}
env:
COSIGN_EXPERIMENTAL: 1
- name: Attach SBOM
run: |
# Generate SBOM with syft
syft ghcr.io/${{ github.repository }}:${{ github.sha }} -o spdx-json > sbom.spdx.json
# Attach SBOM as an attestation
cosign attest \
--yes \
--predicate sbom.spdx.json \
--type spdxjson \
ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Attach vulnerability scan
run: |
# Scan with grype
grype ghcr.io/${{ github.repository }}:${{ github.sha }} -o json > vuln-scan.json
# Attach scan results
cosign attest \
--yes \
--predicate vuln-scan.json \
--type vuln \
ghcr.io/${{ github.repository }}:${{ github.sha }}
Verify in Kubernetes (Kyverno Policy)
# Kubernetes policy: only deploy signed images
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-signatures
spec:
validationFailureAction: Enforce
background: false
rules:
- name: verify-cosign-signature
match:
any:
- resources:
kinds: ["Pod"]
verifyImages:
- imageReferences:
- "ghcr.io/myorg/*"
attestors:
- entries:
- keyless:
subject: "https://github.com/myorg/*"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: "https://rekor.sigstore.dev"
Attestations
# Attest build provenance (SLSA)
cosign attest \
--yes \
--predicate provenance.json \
--type slsaprovenance \
myregistry.com/myapp:v1.2.3
# Verify attestation
cosign verify-attestation \
--type spdxjson \
--certificate-identity-regexp=".*@myorg.com" \
--certificate-oidc-issuer=https://accounts.google.com \
myregistry.com/myapp:v1.2.3
# Download and inspect attached SBOM
cosign download attestation myregistry.com/myapp:v1.2.3 | jq -r '.payload' | base64 -d | jq .
Installation
brew install cosign
# Or: go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Or: Download from https://github.com/sigstore/cosign/releases
Examples
Example 1: Setting up Cosign for a microservices project
User request:
I have a Node.js API and a React frontend running in Docker. Set up Cosign for monitoring/deployment.
The agent creates the necessary configuration files based on patterns like # Install, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.
Example 2: Troubleshooting ci/cd integration issues
User request:
Cosign is showing errors in our ci/cd integration. Here are the logs: [error output]
The agent analyzes the error output, identifies the root cause by cross-referencing with common Cosign issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
Guidelines
- Keyless signing in CI — Use Sigstore's keyless signing in GitHub Actions; no key management, signatures tied to OIDC identity
- Sign every image — Sign in CI/CD, verify before deployment; no unsigned image should reach production
- Attach SBOMs — Generate and attach SBOM with every build; required for compliance (Executive Order 14028) and vulnerability tracking
- Verify in admission control — Use Kyverno or OPA to enforce signature verification at the Kubernetes admission level
- Rekor transparency log — Keyless signatures are recorded in Rekor; provides an immutable audit trail of who signed what and when
- Attestations for provenance — Attach SLSA provenance attestations; prove where and how the image was built
- Pin by digest — Reference images by SHA256 digest, not tag; tags can be overwritten, digests are immutable
- Vulnerability scan attestations — Attach scan results as attestations; verify no critical CVEs before deployment
Related Skills
eliferjunior/fireworks-ai
development
VerifiedTrustedCommunity
Expert guidance for Fireworks AI, the platform for running open-source LLMs (Llama, Mixtral, Qwen, etc.) with enterprise-grade speed and reliability. Helps developers integrate Fireworks' inference API, fine-tune models, and deploy custom model endpoints with function calling and structured output support.
SKILL.mdUpdated Apr 17, 2026
eliferjunior/firecrawl
development
VerifiedTrustedCommunity
Convert any website into clean, structured data with Firecrawl — API-first web scraping service. Use when someone asks to "turn a website into markdown", "scrape website for LLM", "Firecrawl", "extract website content as clean text", "crawl and convert to structured data", or "scrape website for RAG". Covers single-page scraping, full-site crawling, structured extraction, and LLM-ready output.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/firebase
tools
VerifiedTrustedCommunity
Expert guidance for Firebase, Google's platform for building and scaling web and mobile applications. Helps developers set up authentication, Firestore/Realtime Database, Cloud Functions, hosting, storage, and analytics using Firebase's SDK and CLI.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/file-upload-processor
development
VerifiedTrustedCommunity
When the user needs to build file upload functionality for a web application. Use when the user mentions "file upload," "image upload," "upload endpoint," "multipart upload," "presigned URL," "S3 upload," "file validation," "upload to cloud storage," or "accept user files." Handles upload endpoints, file validation (type, size, magic bytes), cloud storage integration, and upload status tracking. For image/video processing after upload, see media-transcoder.
SKILL.mdUpdated Apr 16, 2026