Skip to content

[Feature]: Implement Sigstore Policy Controller for SLSA Build Provenance Verification #188

New issue
New issue
Closed
Enhancement
#189
Closed
[Feature]: Implement Sigstore Policy Controller for SLSA Build Provenance Verification#188
Enhancement
#189
Assignees
mchmarny
Labels
documentationImprovements or additions to documentationenhancementNew feature or request
Milestone
v0.3.0
@mchmarny

Description

@mchmarny
mchmarny
opened on Oct 28, 2025

Prerequisites

  • I searched existing issues

Feature Summary

Replace Kyverno-based image admission policy with Sigstore Policy Controller to automatically verify SLSA Build Provenance attestations for NVSentinel container images at deployment time.

Problem/Use Case

NVSentinel container images are are now built with SLSA Build Level 3 provenance attestations. Currently, there is no automated verification of these attestations when deploying to Kubernetes clusters.

Proposed Solution

  • Document use of Sigstore Policy Controller
  • Implement keyless verification using GitHub Actions OIDC identity
  • Validate SLSA provenance attestations with CUE policy language
  • Provide automated setup script for easy deployment
  • Update documentation with verification examples

Component

Health Monitor

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationenhancementNew feature or request

Type

Enhancement

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions