Cosign

Introduction

The Cosign plugin by Devtron enables secure signing of your container images, enhancing supply chain security. It authenticates your identity as the creator and ensures image integrity, allowing users to verify the source and detect any tampering. This provides greater assurance to developers incorporating your artifacts into their workflows.

Prerequisites

Before integrating the Cosign plugin, ensure that you have configured the Cosign and have a set of private and public keys to sign the container images.

Steps

1. Go to Applications → Devtron Apps.

2. Click your application.

3. Go to App Configuration → Workflow Editor.

4. Click New Workflow and navigate to the Build and Deploy from Source Code.

5. Fill the required fields in the Create build pipeline window and navigate to the Post-build stage.

1. Under 'TASKS', click the + Add task button.

2. Click the Cosign plugin.

3. Enter the following user inputs with appropriate values.

User Inputs

Task Name

Enter the name of your task

e.g., Signing of container images

Description

Add a brief explanation of the task and the reason for choosing the plugin. Include information for someone else to understand the purpose of the task.

e.g., The Cosign plugin is integrated for ensuring the authenticity of container images.

Input Variables

Trigger/Skip Condition

Here you can set conditions to execute or skip the task. You can select Set trigger conditions for the execution of a task or Set skip conditions to skip the task.

Output Variables

Cosign will not be generating an output variable.

Click Update Pipeline.