Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

sawrus/sigstore-signing

Name: sigstore-signing
Author: sawrus

areas/devops/devsecops/skills/sigstore-signing/SKILL.md

npx skillsauth add sawrus/agent-guides sigstore-signing

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Skill: Sigstore / cosign Signing

Expertise: cosign keyless signing (Sigstore), key-based signing, signature verification, Kyverno/OPA enforcement, Rekor transparency log.

When to load

When setting up image signing in CI, verifying signatures before deploy, or enforcing signature policies in K8s admission.

Keyless Signing (OIDC — GitHub Actions)

# .github/workflows/sign.yml
jobs:
  sign:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write    # ← required for keyless OIDC signing

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v3

      - name: Build and push
        id: build
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: ghcr.io/myorg/order-service:${{ github.sha }}

      - name: Sign image (keyless)
        run: |
          cosign sign \
            --yes \
            ghcr.io/myorg/order-service@${{ steps.build.outputs.digest }}
          # Signature stored in Rekor transparency log
          # No private key needed — OIDC token proves identity

Key-Based Signing (when OIDC not available)

# Generate signing key pair (do once; store private key in Vault)
cosign generate-key-pair
# Creates: cosign.key (private — store in Vault) + cosign.pub (public — commit to repo)

# Sign with key
cosign sign \
  --key cosign.key \
  registry.example.com/myorg/order-service:v1.2.3

# Sign in CI using secret
cosign sign \
  --key env://COSIGN_PRIVATE_KEY \    # inject from CI secret
  registry.example.com/myorg/order-service:v1.2.3

Verification

# Verify keyless signature (GitHub Actions OIDC)
cosign verify \
  --certificate-identity-regexp "https://github.com/myorg/myrepo/.github/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/myorg/order-service:v1.2.3

# Verify key-based signature
cosign verify \
  --key cosign.pub \
  registry.example.com/myorg/order-service:v1.2.3

# Verify and show full certificate info
cosign verify \
  --certificate-identity-regexp ".*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/myorg/order-service:v1.2.3 | jq '.[0].optional'

# Check Rekor transparency log entry
cosign verify \
  --rekor-url https://rekor.sigstore.dev \
  ... | jq '.[0].rekorLogIndex'

Verification in CD Pipeline (before deploy)

# Add to Helm pre-upgrade hook or CD pipeline
DIGEST=$(crane digest registry.example.com/myorg/order-service:${VERSION})

cosign verify \
  --certificate-identity-regexp "https://github.com/myorg/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  registry.example.com/myorg/order-service@${DIGEST} || {
    echo "Image signature verification FAILED — aborting deploy"
    exit 1
  }

echo "Signature verified — proceeding with deploy"
helm upgrade ...

Kyverno Policy: Enforce Signed Images

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-signed-images
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: verify-image-signature
      match:
        any:
          - resources:
              kinds: [Pod]
              namespaces: [production, staging]
      verifyImages:
        - imageReferences:
            - "registry.example.com/myorg/*"
          attestors:
            - count: 1
              entries:
                - keyless:
                    subject: "https://github.com/myorg/*"
                    issuer: "https://token.actions.githubusercontent.com"
                    rekor:
                      url: https://rekor.sigstore.dev

Custom Attestations (beyond SBOM)

# Attach custom attestation (e.g., test results, compliance evidence)
cat > test-results.json << 'EOF'
{
  "tests_passed": 142,
  "tests_failed": 0,
  "coverage_pct": 84.2,
  "timestamp": "2024-11-15T14:22:00Z"
}
EOF

cosign attest \
  --predicate test-results.json \
  --type https://example.com/predicates/test-results/v1 \
  registry.example.com/myorg/order-service@${DIGEST}

# Verify custom attestation
cosign verify-attestation \
  --type https://example.com/predicates/test-results/v1 \
  --certificate-identity-regexp ".*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  registry.example.com/myorg/order-service@${DIGEST} \
  | jq '.payload | @base64d | fromjson | .predicate'

Signing Key Rotation

# 1. Generate new key pair
cosign generate-key-pair  # → new cosign.key + cosign.pub

# 2. Re-sign all production images with new key
for image in $(cat production-images.txt); do
  cosign sign --key new-cosign.key $image
done

# 3. Update Kyverno policy to accept BOTH old and new key during transition
# 4. After all images re-signed: remove old key from policy
# 5. Revoke old key in Vault; delete from CI secrets

sawrus/sigstore-signing

areas/devops/devsecops/skills/sigstore-signing/SKILL.md

Sign container images and artifacts with cosign (keyless via OIDC and key-based); verify signatures in CD pipelines and admission policies.

12 stars

testing

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add sawrus/agent-guides sigstore-signing

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 9:04 PM1.9s1 file scanned

SKILL.md

name:: sigstore-signing
type:: skill
description:: Sign container images and artifacts with cosign (keyless via OIDC and key-based); verify signatures in CD pipelines and admission policies.
allowed-tools:: Read, Write, Edit, Bash

Skill: Sigstore / cosign Signing

Expertise: cosign keyless signing (Sigstore), key-based signing, signature verification, Kyverno/OPA enforcement, Rekor transparency log.

When to load

When setting up image signing in CI, verifying signatures before deploy, or enforcing signature policies in K8s admission.

Keyless Signing (OIDC — GitHub Actions)

# .github/workflows/sign.yml
jobs:
  sign:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write    # ← required for keyless OIDC signing

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v3

      - name: Build and push
        id: build
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: ghcr.io/myorg/order-service:${{ github.sha }}

      - name: Sign image (keyless)
        run: |
          cosign sign \
            --yes \
            ghcr.io/myorg/order-service@${{ steps.build.outputs.digest }}
          # Signature stored in Rekor transparency log
          # No private key needed — OIDC token proves identity

Key-Based Signing (when OIDC not available)

# Generate signing key pair (do once; store private key in Vault)
cosign generate-key-pair
# Creates: cosign.key (private — store in Vault) + cosign.pub (public — commit to repo)

# Sign with key
cosign sign \
  --key cosign.key \
  registry.example.com/myorg/order-service:v1.2.3

# Sign in CI using secret
cosign sign \
  --key env://COSIGN_PRIVATE_KEY \    # inject from CI secret
  registry.example.com/myorg/order-service:v1.2.3

Verification

# Verify keyless signature (GitHub Actions OIDC)
cosign verify \
  --certificate-identity-regexp "https://github.com/myorg/myrepo/.github/workflows/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/myorg/order-service:v1.2.3

# Verify key-based signature
cosign verify \
  --key cosign.pub \
  registry.example.com/myorg/order-service:v1.2.3

# Verify and show full certificate info
cosign verify \
  --certificate-identity-regexp ".*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/myorg/order-service:v1.2.3 | jq '.[0].optional'

# Check Rekor transparency log entry
cosign verify \
  --rekor-url https://rekor.sigstore.dev \
  ... | jq '.[0].rekorLogIndex'

Verification in CD Pipeline (before deploy)

# Add to Helm pre-upgrade hook or CD pipeline
DIGEST=$(crane digest registry.example.com/myorg/order-service:${VERSION})

cosign verify \
  --certificate-identity-regexp "https://github.com/myorg/.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  registry.example.com/myorg/order-service@${DIGEST} || {
    echo "Image signature verification FAILED — aborting deploy"
    exit 1
  }

echo "Signature verified — proceeding with deploy"
helm upgrade ...

Kyverno Policy: Enforce Signed Images

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-signed-images
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: verify-image-signature
      match:
        any:
          - resources:
              kinds: [Pod]
              namespaces: [production, staging]
      verifyImages:
        - imageReferences:
            - "registry.example.com/myorg/*"
          attestors:
            - count: 1
              entries:
                - keyless:
                    subject: "https://github.com/myorg/*"
                    issuer: "https://token.actions.githubusercontent.com"
                    rekor:
                      url: https://rekor.sigstore.dev

Custom Attestations (beyond SBOM)

# Attach custom attestation (e.g., test results, compliance evidence)
cat > test-results.json << 'EOF'
{
  "tests_passed": 142,
  "tests_failed": 0,
  "coverage_pct": 84.2,
  "timestamp": "2024-11-15T14:22:00Z"
}
EOF

cosign attest \
  --predicate test-results.json \
  --type https://example.com/predicates/test-results/v1 \
  registry.example.com/myorg/order-service@${DIGEST}

# Verify custom attestation
cosign verify-attestation \
  --type https://example.com/predicates/test-results/v1 \
  --certificate-identity-regexp ".*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  registry.example.com/myorg/order-service@${DIGEST} \
  | jq '.payload | @base64d | fromjson | .predicate'

Signing Key Rotation

# 1. Generate new key pair
cosign generate-key-pair  # → new cosign.key + cosign.pub

# 2. Re-sign all production images with new key
for image in $(cat production-images.txt); do
  cosign sign --key new-cosign.key $image
done

# 3. Update Kyverno policy to accept BOTH old and new key during transition
# 4. After all images re-signed: remove old key from policy
# 5. Revoke old key in Vault; delete from CI secrets

Related Skills

sawrus/qa_expert

testing

VerifiedTrustedCommunity

QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.

12SKILL.mdUpdated Apr 18, 2026

sawrus/design_expert

development

VerifiedTrustedCommunity

Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

development

VerifiedTrustedCommunity

Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

sawrus/babysit-pr

development

VerifiedTrustedCommunity

Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.

12SKILL.mdUpdated Apr 18, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/sawrus/agent-guides.git

# Copy into Claude Code skills folder (global)
cp -r agent-guides/areas/devops/devsecops/skills/sigstore-signing ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

sawrus/agent-guides

12 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT