Join us

ContentUpdates and recent posts about Sigstore..
Link
devopslinks
@devopslinks shared a link, 5 days, 16 hours ago
FAUN.dev()

Chinese Vulnerability Database: CNVD vs CNNVD Analysis

Investigation profilesCNNVDandCNVDechoCVE. They reveal manual errors and poor machine-readability. China’s July 2021RMSVmandates 48-hour reporting and bans pre-patch disclosure. Mapping gaps exist. The databases published about1.4kentries ahead ofCVE, with lead times measured in months... read more  

Chinese Vulnerability Database: CNVD vs CNNVD Analysis
Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
Link
devopslinks
@devopslinks shared a link, 5 days, 16 hours ago
FAUN.dev()

Please stop externalizing your costs directly into my face

SourceHut spent20–100%of weekly time mitigating hyper‑aggressive LLM crawlers. That work caused dozens of short outages and delayed core projects. The crawlers ignorerobots.txt. They hit costly endpoints likegit blame. They scan full git logs and commits. They rotate randomUser‑Agentsand thousands o.. read more  

Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
Link
devopslinks
@devopslinks shared a link, 5 days, 16 hours ago
FAUN.dev()

Building a Least-Privilege AI Agent Gateway for Infrastructure Automation with MCP, OPA, and Ephemeral Runners

Introduces anAI Agent Gateway. It mediates agent requests, validates intent, enforcespolicy-as-code, and isolates execution inephemeral runners. Agents discover tools viaMCP. They submitJSON-RPCcalls and receiveOPAdecisions. Jobs queue and run in short-lived namespaces. Each run carries plan hashes,.. read more  

Building a Least-Privilege AI Agent Gateway for Infrastructure Automation with MCP, OPA, and Ephemeral Runners
Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
Link
devopslinks
@devopslinks shared a link, 5 days, 16 hours ago
FAUN.dev()

The hunt for truly zero-CVE container images

Chainguard's Factory 2.0 andDriftlessAFrebuild images from source on upstream changes. They produce 2,000+ minimalzero‑CVEimages. Each image includes anSBOMand a cryptographicsignature. Docker'sDHIbuilds onDebianandAlpine. It mirrors Debian'sno‑DSAtriage intoVEX. It also suppresses real CVEs until D.. read more  

Share: Twitter

|

Linkedin

|

Facebook

|

Pocket

|

Reddit

|

Hacker News

|

Email
 Activity
secuodsoft
@secuodsoft started using tool MySQL , 1 week ago.
 Activity
secuodsoft
@secuodsoft started using tool Kubernetes , 1 week ago.
 Activity
secuodsoft
@secuodsoft started using tool Jenkins , 1 week ago.
 Activity
secuodsoft
@secuodsoft started using tool Docker , 1 week ago.
 Activity
secuodsoft
@secuodsoft started using tool Python , 1 week ago.
 Activity
secuodsoft
@secuodsoft started using tool PHP , 1 week ago.
Sigstore is an open source initiative designed to make software artifact signing and verification simple, automatic, and widely accessible. Its primary goal is to improve software supply chain security by enabling developers and organizations to cryptographically prove the origin and integrity of the software they build and distribute.

At its core, sigstore removes many of the traditional barriers associated with code signing. Instead of managing long-lived private keys manually, sigstore supports keyless signing, where identities are issued dynamically using OpenID Connect (OIDC) providers such as GitHub Actions, Google, or Microsoft. This dramatically lowers operational complexity and reduces the risk of key compromise.

The sigstore ecosystem is composed of several key components:

- Cosign: A tool for signing, verifying, and storing signatures for container images and other artifacts. Signatures are stored alongside artifacts in OCI registries, rather than embedded in them.

- Fulcio: A certificate authority that issues short-lived X.509 certificates based on OIDC identities, enabling keyless signing.

- Rekor: A transparency log that records signing events in an append-only, tamper-evident ledger. This provides public auditability and detection of suspicious or malicious signing activity.

Together, these components allow anyone to verify who built an artifact, when it was built, and whether it has been tampered with, using publicly verifiable cryptographic proofs. This aligns closely with modern supply chain security practices such as SLSA (Supply-chain Levels for Software Artifacts).

sigstore is widely adopted in the cloud-native ecosystem and integrates with tools like Kubernetes, container registries, CI/CD pipelines, and package managers. It is commonly used to sign container images, Helm charts, binaries, and SBOMs, and is increasingly becoming a baseline security requirement for production software delivery.

The project is governed by the OpenSSF (Open Source Security Foundation) and supported by major industry players.