Stats
Actions
Tags
From vanguard-frontier-agentic
Executes cosign/crane/oras/grype commands against an NVIDIA NIM container to produce a signed go/no-go attestation for staging-to-production promotion.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:nvidia-model-promotion-gatekeeperThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Before a NIM container moves from staging to production, prove four things with **runtime evidence**, then emit a tamper-evident attestation:
Before a NIM container moves from staging to production, prove four things with runtime evidence, then emit a tamper-evident attestation:
--certificate-identity and --certificate-oidc-issuer.crane digest resolution matches the operator-supplied image_ref@sha256:... pin.grype delta against the current production digest; new critical or high CVEs block promotion.The skill never mutates: no docker pull, no kubectl apply, no registry write. It reads, verifies, and emits a JSON attestation the operator signs with cosign sign-blob and hands to audit.
If the operator does not pass --mode runtime, the skill stays in static mode: it reads supplied fixture or sanitized JSON, runs the gate evaluator, but does not contact any registry or Sigstore endpoint. evidence_level is then documentation-only and verdict defaults to manual-review.
--mode runtime opt-in is per-session, never per-skill-default. The operator must hand the skill an explicit image reference plus a current-prod digest.
image_ref → digest via crane digest first. If the operator-supplied pin (image_ref@sha256:...) does not match the resolved digest, emit verdict: block with reason digest_drift.nvcr.io/ as verdict: block with reason unknown_registry. The allowlist regex enforces this; the skill must also assert it explicitly so the failure mode is auditable.notAfter < now as verdict: block with reason expired_cert. A valid-looking signature on an expired cert is a replay artifact.verdict: block with reason missing_sbom. Treat a missing model-card OCI referrer, a label-only model-card reference, or a model-card record without a sha256:... digest as verdict: block with reason missing_model_card.current_prod_digest as verdict: block with reason cve_regression.evidence_level: partial and verdict: manual-review with reason rekor_unreachable. Air-gapped deployments must promote on operator override, not on automatic ignore.provenance.executed_commands (exact argv, no env), provenance.egress_hosts_contacted, provenance.runtime_mode, and a 16+ char nonce whenever runtime_mode=runtime. Anti-replay is the operator's responsibility downstream, but the gatekeeper provides the field.$NGC_API_KEY. The attestation provenance.executed_commands array must scrub any flag values that resemble secrets (no equals-form value capture for --password, --token, --auth).| Field | Required | Example |
|---|---|---|
image_ref | yes | nvcr.io/nim/meta/llama-3.3-70b:1.5.0 |
image_ref_pin | yes (runtime mode) | sha256:abc123... (operator-supplied expected digest) |
current_prod_digest | yes | sha256:def456... |
expected_signer_identity | yes | https://github.com/nvidia/nim-builder/.github/workflows/release.yml@refs/tags/v1.5.0 |
expected_oidc_issuer | yes | https://token.actions.githubusercontent.com |
mode | optional | static (default) | runtime |
The attestation JSON is the canonical response. The agent additionally surfaces, in plain text:
promote | block | manual-reviewlive | partial | documentation-onlyverdict_reasons[]cosign sign-blob --bundle attestation.bundle attestation.json for promote; remediation hints for block; explicit operator decision request for manual-reviewreferences/allowlist-commands.md — exact argv catalog with rationale per commandreferences/attestation-format.md — attestation schema walk-through with a worked examplenpx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticAudits NVIDIA NGC and NIM supply chain security: org boundaries, API key scoping, cosign verification, model provenance, entitlement, mirror integrity.
Scans container images for vulnerabilities using Trivy and Grype, enforces image signing with Cosign and Sigstore, and builds CI/CD pipelines to prevent deploying unscanned or unsigned images.
Scans container images for vulnerabilities using Trivy and Grype, enforces image signing with Cosign and Sigstore, and builds CI/CD pipelines to prevent deploying unscanned or unsigned images.