Cosign Github Action

Cosign is an open-source tool developed by the Sigstore project that enables secure signing, verification, and storage of container images and other artifacts. It supports keyless signing using OIDC identities, traditional key-based signing, and integrates seamlessly with CI/CD pipelines. Cosign helps ensure the integrity and provenance of software artifacts, making it a critical component for securing supply chains in modern DevOps workflows.

🔹Key Features of Cosign

Keyless Signing: Sign artifacts using OIDC identities (e.g., GitHub Actions, Google, Microsoft), eliminating the need to manage long-lived keys.
Traditional Key Support: Supports signing and verification with private/public key pairs and KMS-backed keys (AWS KMS, GCP KMS, Azure Key Vault, etc.).
Container Image Signing: Attach signatures, SBOMs, and attestations directly to container images without modifying the image itself.
Verification: Easily verify signatures and provenance metadata with public transparency logs (e.g., Rekor).
Integration Friendly: Designed for seamless integration with CI/CD pipelines and tools like Kubernetes, Tekton, and GitHub Actions.
Artifact Support: Beyond containers, Cosign can sign and verify other artifact types like files and blobs.

Cosign is part of a growing ecosystem focused on improving supply chain security and is widely used in production environments.

As part of Ananta Cloud’s DevSecOps capabilities, we've implemented a standardized GitHub Action for Cosign to help teams securely sign and verify container images and other artifacts directly within their CI/CD pipelines.

This integration ensures artifact integrity, supports keyless signing with OIDC, and enforces security best practices across all environments — with minimal setup.

🔹 What It Does?

Automates Cosign signing and verification in your GitHub workflows.
Supports both keyless (OIDC-based) and key-based signing.
Publishes signed container images with attached metadata (e.g., SBOMs, attestations).
Verifies image signatures before deployment.
Integrates seamlessly with Ananta Cloud’s broader security and compliance framework.

🔹 Benefits of Using Ananta Cloud’s Cosign Action

Security by Default: Enforces signature verification as part of your build and release pipelines.
Simplified Key Management: Use OIDC for keyless signing—no long-lived credentials required.
Auditability: All signed artifacts are traceable and verifiable using transparency logs.
Out-of-the-Box Integration: Easily adoptable across multiple projects with consistent standards.
Enhanced Supply Chain Security: Supports in-toto attestations, SBOM generation, and Rekor transparency log publishing.

🔹Supported Inputs

Name	Description	Required
`containers`	Comma-separated list of container image names (without registry)	✔️ Yes
`registry`	Container registry base (e.g., `ghcr.io/owner`)	✔️ Yes
`registry-token`	Token used to authenticate with the registry (usually `${{ secrets.GITHUB_TOKEN }}`)	✔️ Yes
`signing-secret`	Base64-encoded private key for signing (e.g., `${{ secrets.SIGNING_SECRET }}`)	✔️ Yes
`tags`	Tags to apply when signing (e.g., `latest`, `v1.0.0`)	✔️ Yes

🔹Supported Outputs

None

🔹Usage

- name: step to sign the docker image
  uses: anantacloud/actions/tree/main/security/cosign
  with:
    image: docker-image:tag
    keyless: true

🔹Key Features of Cosign​

🔹 What It Does?​

🔹 Benefits of Using Ananta Cloud’s Cosign Action​

🔹Supported Inputs​

🔹Supported Outputs​

🔹Usage​