Capability-based sandboxes with fine-grained policies The next-generation isolation primitive — brokering access directly within the agent's operating context, with zero setup and zero latency

Keyless Git signing using Sigstore

MDA Open Spec — a Markdown superset for agent-facing documents. One .mda source compiles to drop-in SKILL.md, AGENTS.md, MCP-SERVER.md, and CLAUDE.md. JSON Schema validated, with typed dependency graph, footnote relationships, and Sigstore-anchored signatures. For agentskills.io and AAIF runtimes.

Common go library shared across sigstore services and clients

An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster

Supply chain security for ML

An experimental Rust crate for sigstore

Trusted builds made easy! A cloud-native software factory for building, testing, and releasing trusted software artifacts

sigstore the hard way!

Enabling Software Supply Chain Security Capabilities in ArgoCD

Go library for Sigstore signing and verification

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

The Anti-Virus for AI Artifacts & RAG Firewall. A static analysis tool scanning Models and Notebooks for RCE, Datasets and RAG docs for Data Poisoning, PII, and Prompt Injections. Secure your AI Supply Chain.

A highly configurable build executor and observer designed to generate signed SLSA provenance attestations about build runs.

Plugin for Helm to integrate the sigstore ecosystem

PDF signing utility supporting GPG and Sigstore (Google, GitHub, Microsoft accounts / keyless OIDC) signatures, multi-party signing, making it easy to sign and verify documents without heavyweight PDF signing stacks, making your PDFs authentic, tamper-proof, fully compatible with regular readers; all while costing zero-dollars to use.

Verify PyPI package attestations and improve Python supply-chain security

Example goreleaser + github actions config with keyless signing, SBOM generation, and attestations

🔴🟡🟢 The Amazing Multipurpose Policy Engine (and L)

🔍 Rekor transparency log monitoring and alerting