> cosign
Expert guidance for Cosign, the Sigstore tool for signing, verifying, and attaching metadata to container images and other OCI artifacts. Helps developers implement supply chain security by signing images in CI/CD, verifying signatures before deployment, and attaching SBOMs and vulnerability scan results as attestations.
curl "https://skillshub.wtf/TerminalSkills/skills/cosign?format=md"Cosign — Container Image Signing and Verification
Overview
Cosign, the Sigstore tool for signing, verifying, and attaching metadata to container images and other OCI artifacts. Helps developers implement supply chain security by signing images in CI/CD, verifying signatures before deployment, and attaching SBOMs and vulnerability scan results as attestations.
Instructions
Sign and Verify Images
# Install
brew install cosign
# Generate a keypair
cosign generate-key-pair
# Creates cosign.key (private) and cosign.pub (public)
# Sign an image after building
docker build -t myregistry.com/myapp:v1.2.3 .
docker push myregistry.com/myapp:v1.2.3
cosign sign --key cosign.key myregistry.com/myapp:v1.2.3
# Verify before deploying
cosign verify --key cosign.pub myregistry.com/myapp:v1.2.3
# Keyless signing with Sigstore (no key management!)
# Uses OIDC identity (GitHub Actions, Google, etc.)
cosign sign myregistry.com/myapp:v1.2.3
# Opens browser for OIDC login, signs with ephemeral key,
# records signature in Rekor transparency log
# Keyless verification
cosign verify \
--certificate-identity=user@example.com \
--certificate-oidc-issuer=https://accounts.google.com \
myregistry.com/myapp:v1.2.3
CI/CD Integration
# .github/workflows/build.yml — Sign images in CI
jobs:
build-and-sign:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # Required for keyless signing
packages: write
steps:
- uses: actions/checkout@v4
- name: Build and push
run: |
docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .
docker push ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Sign image (keyless)
run: |
cosign sign \
--yes \
ghcr.io/${{ github.repository }}:${{ github.sha }}
env:
COSIGN_EXPERIMENTAL: 1
- name: Attach SBOM
run: |
# Generate SBOM with syft
syft ghcr.io/${{ github.repository }}:${{ github.sha }} -o spdx-json > sbom.spdx.json
# Attach SBOM as an attestation
cosign attest \
--yes \
--predicate sbom.spdx.json \
--type spdxjson \
ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Attach vulnerability scan
run: |
# Scan with grype
grype ghcr.io/${{ github.repository }}:${{ github.sha }} -o json > vuln-scan.json
# Attach scan results
cosign attest \
--yes \
--predicate vuln-scan.json \
--type vuln \
ghcr.io/${{ github.repository }}:${{ github.sha }}
Verify in Kubernetes (Kyverno Policy)
# Kubernetes policy: only deploy signed images
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-signatures
spec:
validationFailureAction: Enforce
background: false
rules:
- name: verify-cosign-signature
match:
any:
- resources:
kinds: ["Pod"]
verifyImages:
- imageReferences:
- "ghcr.io/myorg/*"
attestors:
- entries:
- keyless:
subject: "https://github.com/myorg/*"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: "https://rekor.sigstore.dev"
Attestations
# Attest build provenance (SLSA)
cosign attest \
--yes \
--predicate provenance.json \
--type slsaprovenance \
myregistry.com/myapp:v1.2.3
# Verify attestation
cosign verify-attestation \
--type spdxjson \
--certificate-identity-regexp=".*@myorg.com" \
--certificate-oidc-issuer=https://accounts.google.com \
myregistry.com/myapp:v1.2.3
# Download and inspect attached SBOM
cosign download attestation myregistry.com/myapp:v1.2.3 | jq -r '.payload' | base64 -d | jq .
Installation
brew install cosign
# Or: go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Or: Download from https://github.com/sigstore/cosign/releases
Examples
Example 1: Setting up Cosign for a microservices project
User request:
I have a Node.js API and a React frontend running in Docker. Set up Cosign for monitoring/deployment.
The agent creates the necessary configuration files based on patterns like # Install, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.
Example 2: Troubleshooting ci/cd integration issues
User request:
Cosign is showing errors in our ci/cd integration. Here are the logs: [error output]
The agent analyzes the error output, identifies the root cause by cross-referencing with common Cosign issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
Guidelines
- Keyless signing in CI — Use Sigstore's keyless signing in GitHub Actions; no key management, signatures tied to OIDC identity
- Sign every image — Sign in CI/CD, verify before deployment; no unsigned image should reach production
- Attach SBOMs — Generate and attach SBOM with every build; required for compliance (Executive Order 14028) and vulnerability tracking
- Verify in admission control — Use Kyverno or OPA to enforce signature verification at the Kubernetes admission level
- Rekor transparency log — Keyless signatures are recorded in Rekor; provides an immutable audit trail of who signed what and when
- Attestations for provenance — Attach SLSA provenance attestations; prove where and how the image was built
- Pin by digest — Reference images by SHA256 digest, not tag; tags can be overwritten, digests are immutable
- Vulnerability scan attestations — Attach scan results as attestations; verify no critical CVEs before deployment
> related_skills --same-repo
> zustand
You are an expert in Zustand, the small, fast, and scalable state management library for React. You help developers manage global state without boilerplate using Zustand's hook-based stores, selectors for performance, middleware (persist, devtools, immer), computed values, and async actions — replacing Redux complexity with a simple, un-opinionated API in under 1KB.
> zoho
Integrate and automate Zoho products. Use when a user asks to work with Zoho CRM, Zoho Books, Zoho Desk, Zoho Projects, Zoho Mail, or Zoho Creator, build custom integrations via Zoho APIs, automate workflows with Deluge scripting, sync data between Zoho apps and external systems, manage leads and deals, automate invoicing, build custom Zoho Creator apps, set up webhooks, or manage Zoho organization settings. Covers Zoho CRM, Books, Desk, Projects, Creator, and cross-product integrations.
> zod
You are an expert in Zod, the TypeScript-first schema declaration and validation library. You help developers define schemas that validate data at runtime AND infer TypeScript types at compile time — eliminating the need to write types and validators separately. Used for API input validation, form validation, environment variables, config files, and any data boundary.
> zipkin
Deploy and configure Zipkin for distributed tracing and request flow visualization. Use when a user needs to set up trace collection, instrument Java/Spring or other services with Zipkin, analyze service dependencies, or configure storage backends for trace data.