Kubecost Disk Autoscaler uses modern software supply chain security methods including image signing, provenance attestation (SLSA level 3 compliant), build-time image scans, and software bill of material (SBOM) both of which are also attested.
Perform the following steps to verify these artifacts for yourself.
To easily verify using any of the following methods, set a variable for the tag of the image you wish to inspect.
export TAG=<tag>Use the Sigstore cosign tool to show all supply chain security related artifacts available for a given image tag.
cosign tree gcr.io/kubecost1/disk-autoscaler:$TAGAn output similar to below will be displayed.
π¦ Supply Chain Security Related artifacts for an image: gcr.io/kubecost1/disk-autoscaler:<tag>
βββ πΎ Attestations for an image tag: gcr.io/kubecost1/disk-autoscaler:sha256-6241209ed7ee65d4f2337619baedb5f181aaa9a94a6ba284eaf40fc1d9a64917.att
βββ π sha256:87f7e9a35a901c0acddf6bc58da8385b3dac7de5a59bf6bf6ab47b538d6704be
βββ π sha256:4852939abd9bf1ced214e7fa23e6efab08f67ea32c4d984b4f9f7f712c0d4b6a
βββ π sha256:05b66de22d6057a2500842e505aa9a01949c3d33f9b30e83065da4a7e5ea1c47
βββ π Signatures for an image tag: gcr.io/kubecost1/disk-autoscaler:sha256-6241209ed7ee65d4f2337619baedb5f181aaa9a94a6ba284eaf40fc1d9a64917.sig
βββ π sha256:1fb209e1fc2483a5554ce81293a382974295f4476abc466ed5c8748cfb48f3e3
βββ π¦ SBOMs for an image tag: gcr.io/kubecost1/disk-autoscaler:sha256-6241209ed7ee65d4f2337619baedb5f181aaa9a94a6ba284eaf40fc1d9a64917.sbom
βββ π sha256:935a70c773886bfc4a5bcb1f6571aebe0bac2a72a8421275c4c3542c26b827c3
Use the Sigstore cosign tool to verify images have been signed using the keyless method.
cosign verify gcr.io/kubecost1/disk-autoscaler:$TAG --certificate-identity-regexp="https://github.com/kubecost/disk-autoscaler/.github/workflows/release.yaml@refs/tags/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jqThe image signature is also available as an offline release asset for every tagged release.
Verify image provenance from the SLSA standard.
cosign verify-attestation --type slsaprovenance02 --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' gcr.io/kubecost1/disk-autoscaler:$TAG | jq .payload -r | base64 --decode | jqIf you wish, you may also use the official SLSA verifier CLI with the following command.
First, find the digest of the image and tag of your choosing by using crane.
crane digest gcr.io/kubecost1/disk-autoscaler:$TAGIf you do not have or do not wish to install crane and have already pulled the image locally, use the equivalent docker inspect command.
docker inspect gcr.io/kubecost1/disk-autoscaler:$TAG | jq '.[0].RepoDigests[0]'Use slsa-verifier along with the digest and the tag to display the attested provenance.
slsa-verifier verify-image gcr.io/kubecost1/disk-autoscaler@<digest> --source-uri github.com/kubecost/disk-autoscaler --source-tag $TAG --print-provenance | jqUse the Sigstore cosign tool to verify a software bill of materials (SBOM), using the SPDX standard, has been attested using the keyless method.
cosign verify-attestation --type spdxjson gcr.io/kubecost1/disk-autoscaler:$TAG --certificate-identity-regexp="https://github.com/kubecost/disk-autoscaler/.github/workflows/release.yaml@refs/tags/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq .payload -r | base64 --decode | jqThe SBOM is also available as an offline release asset for every tagged release.
Verify the image scan results from Trivy.
cosign verify-attestation --type vuln gcr.io/kubecost1/disk-autoscaler:$TAG --certificate-identity-regexp="https://github.com/kubecost/disk-autoscaler/.github/workflows/release.yaml@refs/tags/*" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq .payload -r | base64 --decode | jqThe vulnerability scan is also available as an offline release asset for every tagged release.