sigstore-cosign-supply-chain-review

Sigstore Cosign Supply Chain Review

Purpose

Review Cosign image signing verification, Kyverno imageVerify admission policy, SBOM and SLSA provenance attestations, Rekor transparency log posture, and keyless vs key-based signing configuration against supply chain integrity, SLSA level claims, and Kubernetes admission-time enforcement. Sigstore's security model depends entirely on the identity constraints baked into admission policy — an imageVerify rule with no issuer or subject constraint is functionally equivalent to no verification at all.

Lean operating rules

• Prefer live evidence (cosign verify, kubectl get clusterpolicies, cosign verify-attestation) when the active client exposes it; otherwise fall back to official Sigstore documentation and sanitized YAML from the user.
• Separate confirmed facts from inference. If Kyverno policy state, Rekor log inclusion, or provenance attestation presence was not directly queried, say so.
• Treat a Kyverno imageVerify policy missing both issuer and subject constraints as a critical finding — any Sigstore-signed image from any identity passes.
• Treat exclude rules in imageVerify that match broad glob patterns (* or registry.io/*) as a high finding — third-party images bypass verification.
• Treat SLSA L2+ claimed but no SLSA provenance attestation verifiable via slsa-verifier as a high finding.
• Treat long-lived Cosign keypairs stored as CI secrets as a high finding — keyless OIDC Workload Identity is the preferred pattern.
• Treat COSIGN_NO_TLOG=1 on non-private-Rekor setups as a medium finding — public transparency is disabled without a private transparency alternative.
• Keep the answer scoped, evidence-labeled, and explicit about what was not queried.

References

Load these only when needed:

• Workflow and output contract

Response minimum

Return, at minimum:

• the scoped target (image, imageVerify policy, CI pipeline signing step, or SLSA level claim) and evidence level,
• the signing identity (keyless OIDC via Fulcio, long-lived key, or unverified),
• the admission enforcement posture (Kyverno imageVerify, policy-controller, or none),
• the attestation inventory (SBOM present/absent, SLSA provenance present/absent),
• the Rekor transparency posture (public log, private log, or disabled),
• the safest next actions and any assumptions or blockers.