Skip to main content

implementing-sigstore-for-software-signing

Implements Sigstore for keyless software signing and verification, enhancing security and provenance in CI/CD pipelines.

Install this skill

or
88/100

Security score

The implementing-sigstore-for-software-signing skill was audited on Jun 5, 2026 and we found 8 security issues across 2 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 133

Webhook reference - potential data exfiltration

SourceSKILL.md
133- **Sigstore Policy Controller**: Kubernetes admission webhook that enforces image signing policies by verifying Cosign signatures and attestations before allowing pod creation
low line 82

External URL reference

SourceSKILL.md
82- **Supported OIDC providers**: Google (`https://accounts.google.com`), GitHub (`https://github.com/login/oauth`), Microsoft (`https://login.microsoftonline.com`), GitLab (`https://gitlab.com`), and c
low line 88

External URL reference

SourceSKILL.md
88- **Verify a container image**: Run `cosign verify <IMAGE_URI> [email protected] --certificate-oidc-issuer=https://accounts.google.com` to confirm the image was signed by the spe
low line 89

External URL reference

SourceSKILL.md
89- **Verify a signed blob**: Run `cosign verify-blob <file> --bundle artifact.sigstore.json [email protected] --certificate-oidc-issuer=https://accounts.google.com`
low line 93

External URL reference

SourceSKILL.md
93--certificate-oidc-issuer=https://token.actions.githubusercontent.com
low line 105

External URL reference

SourceSKILL.md
105- **REST API queries**: Query `https://rekor.sigstore.dev/api/v1/index/retrieve` with POST body `{"hash": "sha256:<hash>"}` to retrieve entry UUIDs, then fetch full entries from `/api/v1/log/entries/<
low line 145

External URL reference

SourceSKILL.md
1453. Deploy Sigstore Policy Controller to the Kubernetes cluster with a ClusterImagePolicy requiring signatures from `--certificate-identity-regexp=https://github.com/myorg/myrepo/.*` and `--certificate
low line 165

External URL reference

SourceSKILL.md
165Issuer: https://token.actions.githubusercontent.com
Scanned on Jun 5, 2026
View Security Dashboard
Installation guide →
GitHub Stars 1
Rate this skill
Categorydevelopment
UpdatedJune 7, 2026
openclawdevopsbackenddevops-srebackend-developersecurity-engineerproduct-managergrowth-pmdevelopmentproduct
seikaikyo/dash-skills