Terminal.skills
Skills/cosign
>

cosign

Expert guidance for Cosign, the Sigstore tool for signing, verifying, and attaching metadata to container images and other OCI artifacts. Helps developers implement supply chain security by signing images in CI/CD, verifying signatures before deployment, and attaching SBOMs and vulnerability scan results as attestations.

#container-signing#supply-chain#sigstore#verification#sbom
terminal-skillsv1.0.0
Works with:claude-codeopenai-codexgemini-clicursor
Source

Usage

$
✓ Installed cosign v1.0.0

Getting Started

  1. Install the skill using the command above
  2. Open your AI coding agent (Claude Code, Codex, Gemini CLI, or Cursor)
  3. Reference the skill in your prompt
  4. The AI will use the skill's capabilities automatically

Example Prompts

  • "Deploy the latest build to the staging environment and run smoke tests"
  • "Check the CI pipeline status and summarize any recent failures"

Documentation

Overview

Cosign, the Sigstore tool for signing, verifying, and attaching metadata to container images and other OCI artifacts. Helps developers implement supply chain security by signing images in CI/CD, verifying signatures before deployment, and attaching SBOMs and vulnerability scan results as attestations.

Instructions

Sign and Verify Images

bash
# Install
brew install cosign

# Generate a keypair
cosign generate-key-pair
# Creates cosign.key (private) and cosign.pub (public)

# Sign an image after building
docker build -t myregistry.com/myapp:v1.2.3 .
docker push myregistry.com/myapp:v1.2.3
cosign sign --key cosign.key myregistry.com/myapp:v1.2.3

# Verify before deploying
cosign verify --key cosign.pub myregistry.com/myapp:v1.2.3

# Keyless signing with Sigstore (no key management!)
# Uses OIDC identity (GitHub Actions, Google, etc.)
cosign sign myregistry.com/myapp:v1.2.3
# Opens browser for OIDC login, signs with ephemeral key,
# records signature in Rekor transparency log

# Keyless verification
cosign verify \
  --certificate-identity=user@example.com \
  --certificate-oidc-issuer=https://accounts.google.com \
  myregistry.com/myapp:v1.2.3

CI/CD Integration

yaml
# .github/workflows/build.yml — Sign images in CI
jobs:
  build-and-sign:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write                   # Required for keyless signing
      packages: write
    steps:
      - uses: actions/checkout@v4

      - name: Build and push
        run: |
          docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .
          docker push ghcr.io/${{ github.repository }}:${{ github.sha }}

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - name: Sign image (keyless)
        run: |
          cosign sign \
            --yes \
            ghcr.io/${{ github.repository }}:${{ github.sha }}
        env:
          COSIGN_EXPERIMENTAL: 1

      - name: Attach SBOM
        run: |
          # Generate SBOM with syft
          syft ghcr.io/${{ github.repository }}:${{ github.sha }} -o spdx-json > sbom.spdx.json

          # Attach SBOM as an attestation
          cosign attest \
            --yes \
            --predicate sbom.spdx.json \
            --type spdxjson \
            ghcr.io/${{ github.repository }}:${{ github.sha }}

      - name: Attach vulnerability scan
        run: |
          # Scan with grype
          grype ghcr.io/${{ github.repository }}:${{ github.sha }} -o json > vuln-scan.json

          # Attach scan results
          cosign attest \
            --yes \
            --predicate vuln-scan.json \
            --type vuln \
            ghcr.io/${{ github.repository }}:${{ github.sha }}

Verify in Kubernetes (Kyverno Policy)

yaml
# Kubernetes policy: only deploy signed images
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-signatures
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: verify-cosign-signature
      match:
        any:
          - resources:
              kinds: ["Pod"]
      verifyImages:
        - imageReferences:
            - "ghcr.io/myorg/*"
          attestors:
            - entries:
                - keyless:
                    subject: "https://github.com/myorg/*"
                    issuer: "https://token.actions.githubusercontent.com"
                    rekor:
                      url: "https://rekor.sigstore.dev"

Attestations

bash
# Attest build provenance (SLSA)
cosign attest \
  --yes \
  --predicate provenance.json \
  --type slsaprovenance \
  myregistry.com/myapp:v1.2.3

# Verify attestation
cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp=".*@myorg.com" \
  --certificate-oidc-issuer=https://accounts.google.com \
  myregistry.com/myapp:v1.2.3

# Download and inspect attached SBOM
cosign download attestation myregistry.com/myapp:v1.2.3 | jq -r '.payload' | base64 -d | jq .

Installation

bash
brew install cosign
# Or: go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Or: Download from https://github.com/sigstore/cosign/releases

Examples

Example 1: Setting up Cosign for a microservices project

User request:

I have a Node.js API and a React frontend running in Docker. Set up Cosign for monitoring/deployment.

The agent creates the necessary configuration files based on patterns like # Install, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.

Example 2: Troubleshooting ci/cd integration issues

User request:

Cosign is showing errors in our ci/cd integration. Here are the logs: [error output]

The agent analyzes the error output, identifies the root cause by cross-referencing with common Cosign issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.

Guidelines

  1. Keyless signing in CI — Use Sigstore's keyless signing in GitHub Actions; no key management, signatures tied to OIDC identity
  2. Sign every image — Sign in CI/CD, verify before deployment; no unsigned image should reach production
  3. Attach SBOMs — Generate and attach SBOM with every build; required for compliance (Executive Order 14028) and vulnerability tracking
  4. Verify in admission control — Use Kyverno or OPA to enforce signature verification at the Kubernetes admission level
  5. Rekor transparency log — Keyless signatures are recorded in Rekor; provides an immutable audit trail of who signed what and when
  6. Attestations for provenance — Attach SLSA provenance attestations; prove where and how the image was built
  7. Pin by digest — Reference images by SHA256 digest, not tag; tags can be overwritten, digests are immutable
  8. Vulnerability scan attestations — Attach scan results as attestations; verify no critical CVEs before deployment

Information

Version
1.0.0
Author
terminal-skills
Category
DevOps
License
Apache-2.0

Use Cases

Secure the Kubernetes Supply Chain from Code to Cluster