A collection of public support scripts and utilities for Aleph Alpha customers to help with container security, attestation management, and other operational tasks.
This repository contains utility scripts designed to help Aleph Alpha customers manage and interact with container images, security attestations, and related infrastructure components. These tools are particularly useful for organizations working with signed container images and security compliance requirements.
A comprehensive Kubernetes image scanning script that automatically discovers container images in a namespace, downloads SBOM attestations from Cosign-signed images, processes triage attestations, and runs Trivy vulnerability scans on SBOMs with detailed CVE analysis and reporting.
- Kubernetes Integration: Automatically discovers images from pods, deployments, daemonsets, statefulsets, jobs, and cronjobs
- SBOM-Based Scanning: Downloads SBOM attestations and scans them with Trivy for accurate vulnerability detection
- Cosign Integration: Processes only Cosign-signed images with SBOM attestations
- Smart Image Filtering: Skips unsigned images, images without SBOM, and applies configurable ignore lists
- Detailed CVE Analysis: Categorizes CVEs as unaddressed, addressed (via triage), or irrelevant based on severity
- Parallel Processing: Configurable parallel scanning for improved performance
- Comprehensive Reporting: Generates detailed reports with actual CVE IDs in both table and JSON formats
- Triage Integration: Automatically applies Cosign triage attestations to filter known false positives
- Flexible Configuration: Support for custom Trivy configurations and severity filtering
- Dry Run Mode: Preview what would be scanned without executing actual scans
- Chainguard Base Verification (NEW): Verifies if images are based on Chainguard base images and shows the result in the final table
- Performance Caching: Local cache for attestation types, SBOMs, and triage files to dramatically speed up repeated scans
- Cache Statistics: View cache usage, size, and effectiveness with
--cache-stats - Test Flow Mode: Process only the first valid image for quick testing (
--test-flow)
The script processes images based on their signature and attestation status:
| Image Type | Description | Action |
|---|---|---|
| Cosign-signed with SBOM and triage | Images signed with Cosign that have both SBOM and triage attestations | SBOM downloaded and scanned with triage filtering applied |
| Cosign-signed with SBOM only | Images signed with Cosign that have SBOM but no triage attestations | SBOM downloaded and scanned without triage filtering |
| Cosign-signed without SBOM | Images signed with Cosign but no SBOM attestations | Skipped (cannot scan without SBOM) |
| Unsigned | Images without Cosign signatures | Skipped (not scanned) |
Basic scan of default namespace:
./scanner/k8s-image-scanner.shScan specific namespace with ignore file:
./scanner/k8s-image-scanner.sh --namespace production --ignore-file ./scanner/ignore-images.txtParallel scanning with custom output:
./scanner/k8s-image-scanner.sh --namespace staging --output-dir ./security-reports --parallel-scans 5Dry run to preview what would be scanned:
./scanner/k8s-image-scanner.sh --namespace production --dry-runJSON output with custom severity filtering:
./scanner/k8s-image-scanner.sh --format json --severity "CRITICAL,HIGH,MEDIUM" --output-dir ./reportsCVE analysis with custom minimum severity level:
./scanner/k8s-image-scanner.sh --min-cve-level MEDIUM --namespace productionCustom Kubernetes context and configuration:
./scanner/k8s-image-scanner.sh --context prod-cluster --kubeconfig ~/.kube/prod-config --namespace app-prodView cache statistics:
./scanner/k8s-image-scanner.sh --cache-statsTest flow (scan only first valid image):
./scanner/k8s-image-scanner.sh --namespace production --test-flowCustom cache configuration:
./scanner/k8s-image-scanner.sh --namespace production --cache-dir /tmp/my-cache --cache-ttl 48Disable caching:
./scanner/k8s-image-scanner.sh --namespace production --no-cacheUsage:
./scanner/k8s-image-scanner.sh [OPTIONS]
Options:
--namespace NAMESPACE Kubernetes namespace to scan (default: pharia-ai)
--ignore-file FILE File containing images to ignore (one per line)
--output-dir DIR Output directory for reports (default: ./scan-results)
--kubeconfig FILE Path to kubeconfig file (optional)
--context CONTEXT Kubernetes context to use (optional)
--trivy-config FILE Custom Trivy configuration file (optional)
--parallel-scans NUM Number of parallel scans (default: 3)
--timeout TIMEOUT Timeout for individual operations in seconds (default: 300)
--certificate-oidc-issuer ISSUER OIDC issuer for cosign verification
--certificate-identity-regexp REGEX Identity regexp for cosign verification
--min-cve-level LEVEL Minimum CVE severity level for analysis: LOW|MEDIUM|HIGH|CRITICAL (default: HIGH)
--cache-dir DIR Cache directory (default: ~/.cache/k8s-image-scanner)
--cache-ttl HOURS Cache TTL in hours (default: 24)
--no-cache Disable caching entirely
--clear-cache Clear cache before running
--cache-stats Show cache statistics and exit
--test-flow Only scan the first valid image (for testing)
--verbose Enable verbose logging
--dry-run Show what would be scanned without executing
--format FORMAT Report format: table|json|sarif (default: table)
--severity SEVERITIES Comma-separated list of severities to include (default: LOW,MEDIUM,HIGH,CRITICAL)
-h, --help Show this help
Create a text file with one image pattern per line to exclude from scanning:
# Comments start with #
k8s.gcr.io/pause
registry.k8s.io/pause
alpine:latest
internal-registry.company.com/base/
nginx:1.20-alpine
See scanner/sample-ignore-images.txt for a complete example.
The script creates a structured output directory:
scan-results/
βββ scan-summary.json # Overall scan summary with detailed CVE analysis
βββ registry_example_com_app_v1_0_0/ # Per-image results (Cosign-signed with SBOM and triage)
β βββ metadata.json # Image scan metadata
β βββ sbom.json # Downloaded SBOM attestation
β βββ triage.json # Downloaded Cosign triage attestation
β βββ triage.trivyignore # Converted triage file for Trivy
β βββ cve_details.json # Detailed CVE analysis with actual CVE IDs
β βββ trivy-analysis.json # Raw Trivy JSON output
β βββ trivy-report.table # Trivy scan results (table format)
βββ registry_example_com_db_v2_1_0/ # Per-image results (signed with SBOM, no triage)
βββ metadata.json
βββ sbom.json # Downloaded SBOM attestation
βββ cve_details.json # CVE analysis (no triage applied)
βββ trivy-analysis.json
βββ trivy-report.table
The scan-summary.json file includes comprehensive CVE analysis data:
{
"scan_summary": {
"successful_scans": 2,
"failed_scans": 0,
"skipped_scans": 5
},
"cve_analysis": [
{
"image": "app:v1.0.0",
"unaddressed_cves": 0,
"addressed_cves": 15,
"irrelevant_cves": 23,
"has_triage_file": true,
"unaddressed_cve_list": [],
"addressed_cve_list": ["CVE-2023-1234", "CVE-2023-5678", ...],
"irrelevant_cve_list": ["CVE-2022-9999", ...],
"min_cve_level": "HIGH"
}
]
}The scanner leverages the existing cosign-extract.sh script for Cosign attestation extraction, ensuring consistent verification and extraction behavior. It automatically:
- Detects image signatures using Cosign verification to determine if images are signed
- Downloads SBOM attestations from Cosign-signed images using
cosign-extract.sh --predicate-only - Downloads triage attestations from Cosign-signed images using
cosign-extract.sh --last - Selects latest attestations automatically when multiple attestations exist
- Verifies attestations using configurable OIDC settings for security
- Scans SBOMs with Trivy using
trivy sbomfor accurate vulnerability detection - Converts triage data from JSON attestation format to Trivy ignore format
- Applies triage filtering to Trivy scans automatically
- Analyzes CVE results categorizing them as unaddressed, addressed, or irrelevant
- Generates comprehensive reports with detailed CVE analysis and actual CVE IDs
- Verifies Chainguard base images per image using
verify-chainguard-base-image.shand reports results
The CVE analysis table now includes a new column:
- Chainguard Base: Shows whether the image is based on a Chainguard base image
- β Yes: Verified Chainguard base image
- β No: Not a Chainguard base (or could not be verified)
The scanner includes a local caching system to dramatically speed up repeated scans:
What's Cached:
- Attestation Type Detection: Results of signature verification and attestation type detection
- SBOM Downloads: Downloaded SBOM attestations (CycloneDX and SPDX)
- Triage Downloads: Downloaded triage attestations
Cache Benefits:
- Speed Improvements: Cached operations are 200-1000x faster than network operations
- Reduced Network Load: Fewer registry API calls and bandwidth usage
- Offline Capability: Works offline for previously scanned images
- Cost Savings: Less compute time and network egress costs
Cache Configuration:
- Default Location:
~/.cache/k8s-image-scanner/ - Default TTL: 24 hours (configurable with
--cache-ttl) - Cache Key: Uses image digest (SHA256) for reliable caching
- Automatic Management: Expired entries are automatically ignored
Cache Statistics: View detailed cache statistics including:
- Total cache size and number of cached images
- Count of cached items by type (attestation types, SBOMs, triage files)
- Cache age distribution
- Top cached images by size
./scanner/k8s-image-scanner.sh --cache-statsExample Output:
π Cache Statistics
===================
Cache Configuration:
Directory: ~/.cache/k8s-image-scanner
TTL: 24 hours
Cache Size:
Total: 245.32 MB
Cached images: 47
Cached Items:
Attestation types: 42
SBOM (CycloneDX): 38
SBOM (SPDX): 5
Triage files: 35
Total cached items: 120
Cache Age Distribution:
< 1 hour: 12 images
1-12 hours: 18 images
12-24 hours: 17 images
Cache Management:
- Use
--clear-cacheto clear the cache before scanning - Use
--no-cacheto disable caching entirely - Use
--cache-dirto specify a custom cache location - Use
--cache-ttlto adjust cache expiration time
- kubectl (configured with access to target cluster)
- trivy (for vulnerability scanning of SBOMs)
- jq (for JSON processing)
- crane (for container registry operations)
- docker (for registry accessibility checking in k8s-image-scanner.sh)
- cosign (for signature verification and attestation extraction)
- column (for table formatting, usually pre-installed on Unix systems)
A focused scanning script for analyzing single container images by downloading SBOM attestations and performing Trivy vulnerability scans on the SBOM. This script automatically applies cosign triage attestations to filter known and addressed vulnerabilities, providing detailed CVE analysis and reporting.
- SBOM-Based Scanning: Downloads SBOM attestations and scans them with Trivy for accurate vulnerability detection
- Single Image Focus: Scan any container image directly without Kubernetes integration
- Cosign Integration: Automatically detects signed images and downloads SBOM and triage attestations
- Triage Filtering: Applies cosign triage attestations to filter known false positives (optional with
--no-triage) - Flexible Formats: Support for table, JSON, and SARIF output formats
- Registry Accessibility Check: Validates registry access before scanning
- Comprehensive CVE Analysis: Categorizes CVEs by severity with detailed counts and integrated CVE table
- CVE Display Options: Control CVE table output with
--show-cvesand--max-cvesflags - SBOM Type Selection: Choose between CycloneDX (default) or SPDX SBOM formats
- Dry Run Mode: Preview what would be scanned without executing
- Verbose Logging: Optional detailed output for troubleshooting
The script handles different image types intelligently:
| Image Type | Description | Action |
|---|---|---|
| Cosign-signed with SBOM and triage | Images signed with Cosign that have both SBOM and triage attestations | SBOM downloaded and scanned with triage filtering applied |
| Cosign-signed with SBOM only | Images signed with Cosign that have SBOM but no triage attestations | SBOM downloaded and scanned without triage filtering |
| Cosign-signed without SBOM | Images signed with Cosign but no SBOM attestations | Error: Cannot scan without SBOM |
| Unsigned | Images without Cosign signatures | Error: Unsigned images cannot be scanned (SBOM required) |
Basic scan of a container image:
./cosign-scan-image.sh --image harbor.example.com/library/myapp:v1.0.0Scan with JSON output format:
./cosign-scan-image.sh --image myregistry.io/app:latest --format json --output-dir ./my-reportsDry run to preview what would be scanned:
./cosign-scan-image.sh --image harbor.example.com/prod/api:1.2.3 --dry-runScan with verbose output and custom severity:
./cosign-scan-image.sh --image myimage:tag --verbose --severity "CRITICAL,HIGH,MEDIUM"Scan with custom output directory:
./cosign-scan-image.sh --image registry.company.com/app:v2.0 --output-dir ./security-scansUsage:
./cosign-scan-image.sh --image IMAGE [OPTIONS]
Required:
--image IMAGE Container image to scan (e.g., registry.io/org/image:tag)
Options:
--output-dir DIR Output directory for reports (default: ./scan-results)
--trivy-config FILE Custom Trivy configuration file (optional)
--timeout TIMEOUT Timeout for individual operations in seconds (default: 300)
--certificate-oidc-issuer ISSUER OIDC issuer for cosign verification
--certificate-identity-regexp REGEX Identity regexp for cosign verification
--sbom-type TYPE SBOM type to extract: cyclonedx|spdx (default: cyclonedx)
--no-triage Skip downloading and applying triage attestations
--show-cves Show detailed CVE table in summary (default: enabled)
--max-cves NUM Maximum CVEs to display in table (0 for all, default: 20)
--verbose Enable verbose logging
--dry-run Show what would be scanned without executing
--format FORMAT Report format: table|json|sarif (default: table)
--severity LEVEL Severity level to report: LOW|MEDIUM|HIGH|CRITICAL (default: CRITICAL)
-h, --help Show this help
The script creates a structured output directory for the scanned image:
scan-results/
βββ harbor_example_com_library_myapp_v1_0_0/ # Per-image results
βββ metadata.json # Image scan metadata
βββ sbom.json # Downloaded SBOM attestation (CycloneDX or SPDX)
βββ triage.json # Downloaded Cosign triage attestation (if available)
βββ triage.trivyignore # Converted triage file for Trivy
βββ trivy-report.json # Trivy JSON report for CVE analysis
βββ trivy-report.table # Trivy scan results (format: table/json/sarif)
The script displays an integrated summary with vulnerability counts and detailed CVE table:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π SCAN SUMMARY
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Image: harbor.example.com/library/myapp:v1.0.0
SBOM: β
Downloaded
Triage: β
Applied
Scan Method: SBOM-based
Vulnerabilities:
π΄ Critical: 0
π High: 2
π‘ Medium: 5
π’ Low: 12
Details:
CVE ID SEVERITY PACKAGE INSTALLED FIXED TITLE
ββββββββββββββββββ ββββββββββ ββββββββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββββββββ
CVE-2024-1234 π HIGH libssl1.1 1.1.1f-1ubuntu 1.1.1f-2ubuntu OpenSSL vulnerability
CVE-2024-5678 π HIGH curl 7.68.0-1ubuntu 7.68.0-2ubuntu CURL remote code execution
...
Output: ./scan-results
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
Scan completed successfully
The scanner leverages existing scripts for consistent behavior:
- Signature Detection: Uses
cosign-verify-image.shto verify image signatures - SBOM Download: Uses
cosign-extract.sh --predicate-onlyto download SBOM attestations - Attestation Download: Uses
cosign-extract.shto download triage attestations - Automatic Selection: Automatically selects the latest attestation when multiple exist
- Verification: Verifies attestations using configurable OIDC settings
- SBOM Scanning: Uses
trivy sbomto scan the downloaded SBOM for vulnerabilities - Triage Conversion: Converts triage data to Trivy ignore format
- CVE Analysis: Categorizes vulnerabilities by severity with integrated table display
- trivy (for vulnerability scanning of SBOMs)
- jq (for JSON processing)
- crane (for image digest resolution)
- docker (for registry accessibility checking)
- cosign (for signature verification and attestation extraction)
- cosign-extract.sh (for extracting SBOM and triage attestations)
- cosign-verify-image.sh (for verifying image signatures)
Verifies whether a Docker image was built using a Chainguard base image by checking signatures. Works in two modes:
- Starter images (default): Public verification using GitHub Actions OIDC issuer. No authentication required.
- Production images: Uses a Chainguard organization with
chainctlfor verification (requires token or identity).
# Starter image verification (no org)
./verify-chainguard-base-image.sh --image cgr.dev/chainguard/alpine:latest
# Production image verification (with org)
./verify-chainguard-base-image.sh --image registry.example.com/app:latest \
--chainguard-org my-org \
--chainctl-token "$CHAINCTL_TOKEN"
# Silent mode for automation (prints only variables)
./verify-chainguard-base-image.sh --image myimage:tag --output-level noneOutputs (silent mode):
IS_CHAINGUARD=true|false
BASE_IMAGE="<detected base image or unknown>"
SIGNATURE_VERIFIED=true|false
This script is also invoked automatically by scanner/k8s-image-scanner.sh for each image; results appear in the final table and in per-image JSON (chainguard_verification.json).
A powerful bash script for extracting and inspecting Cosign attestations from container images. This tool helps you retrieve various types of security attestations including SLSA provenance, SBOM data, vulnerability reports, and custom attestations.
- Multiple Attestation Types: Supports SLSA, CycloneDX, SPDX, vulnerability reports, license information, triage data, and custom attestations
- Flexible Extraction: Extract single attestations, all attestations of a specific type, or all available attestations
- Predicate-Only Extraction: Extract only the predicate content with
--predicate-only(ideal for raw SBOM extraction for Trivy scanning) - Discovery Mode: List available attestation types for any container image
- Inspection Tools: Inspect referrers with missing predicate types
- Output Options: Save to files or output to stdout with proper JSON formatting
- Cryptographic Verification: Verify attestations using Cosign before extraction with configurable OIDC issuer and identity patterns
- Verification-Only Mode: Skip content extraction with
--no-extractionfor verification-only workflows
| Type | Description | Predicate Type |
|---|---|---|
slsa |
SLSA Provenance v1 | https://slsa.dev/provenance/v1 |
cyclonedx |
CycloneDX SBOM | https://cyclonedx.org/bom |
spdx |
SPDX Document | https://spdx.dev/Document |
vuln |
Vulnerability Report | https://cosign.sigstore.dev/attestation/vuln/v1 |
license |
License Information | https://aleph-alpha.com/attestations/license/v1 |
triage |
Triage Data | https://aleph-alpha.com/attestations/triage/v1 |
custom |
Custom Attestation | https://cosign.sigstore.dev/attestation/v1 |
List available attestations for an image (default behavior when no type specified):
./cosign-extract.sh --image registry.example.com/myapp:latest
# or explicitly:
./cosign-extract.sh --image registry.example.com/myapp:latest --listExtract a specific attestation type:
./cosign-extract.sh --type slsa --image registry.example.com/myapp:latest --output provenance.jsonExtract only the predicate content (raw SBOM) for Trivy scanning:
./cosign-extract.sh --type cyclonedx --image registry.example.com/myapp:latest --output sbom.json --predicate-onlyExtract all SBOM attestations:
./cosign-extract.sh --type cyclonedx --image registry.example.com/myapp:latest --choice all --output sbom-Extract all attestation types to a directory:
./cosign-extract.sh --image registry.example.com/myapp:latest --choice all --output ./attestations/Inspect referrers with missing predicate types:
./cosign-extract.sh --image registry.example.com/myapp:latest --inspect-nullExtract and verify an SPDX SBOM with cryptographic verification:
./cosign-extract.sh --type spdx --image registry.example.com/myapp:latest --verify --output sbom.spdx.jsonAutomatically select the most recent attestation when multiple exist:
./cosign-extract.sh --type triage --image registry.example.com/myapp:latest --last --output triage.jsonExtract with custom verification parameters:
./cosign-extract.sh --type slsa --image registry.example.com/myapp:latest --verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp "https://github.com/myorg/myrepo/.github/workflows/.*" \
--output provenance.jsonVerify attestations without extracting content:
./cosign-extract.sh --type spdx --image registry.example.com/myapp:latest --verify --no-extractionVerify all attestation types without extraction:
./cosign-extract.sh --image registry.example.com/myapp:latest --choice all --verify --no-extractionUsage:
./cosign-extract.sh --type TYPE --image IMAGE[:TAG] [--choice index|all] [--output FILE] [--verify] [--no-extraction]
./cosign-extract.sh --image IMAGE[:TAG] --choice all --output DIR
./cosign-extract.sh --image IMAGE[:TAG] --list [--show-null]
./cosign-extract.sh --image IMAGE[:TAG] --inspect-null
./cosign-extract.sh --type TYPE --image IMAGE[:TAG] --verify --no-extraction # verify only, no extraction
Options:
--type TYPE Attestation type (slsa|cyclonedx|spdx|vuln|license|triage|custom)
--image IMAGE Fully qualified image reference (required)
--choice Which attestation to fetch: index, all
--last Automatically select the most recent attestation if multiple exist
--output PATH Output file (single type) or directory (all types)
--predicate-only Extract only the predicate content (useful for raw SBOM extraction for Trivy)
--list List available predicateTypes and counts
--show-null Show entries missing predicateType in --list
--inspect-null Inspect referrers missing predicateType
--verify Verify attestations using cosign before extraction
--no-extraction Skip extraction and content output (useful with --verify for verification-only)
--certificate-oidc-issuer ISSUER OIDC issuer for verification (default: https://token.actions.githubusercontent.com)
--certificate-identity-regexp REGEX Identity regexp for verification (default: Aleph Alpha workflows)
-h, --help Show this help
Verification:
When --verify is used, attestations are verified using cosign verify-attestation before extraction.
Default verification uses GitHub Actions OIDC issuer and Aleph Alpha workflow identity patterns.
Use --no-extraction to skip content output and only perform verification.
When multiple attestations of the same type are found, the script will prompt you to select which one to extract:
./cosign-extract.sh --type slsa --image registry.example.com/myapp:latest
# Output:
# π Found 2 attestations for type=slsa:
# [1] sha256:abc123...
# [2] sha256:def456...
# Select attestation [1-2]: 1Use the --last flag to automatically select the most recent attestation without interactive prompts:
./cosign-extract.sh --type triage --image registry.example.com/myapp:latest --last
# Output:
# π Found 2 attestations for type=triage:
# [1] sha256:abc123...
# [2] sha256:def456...
# βΉοΈ Automatically selecting most recent attestation [2/2]This is particularly useful for:
- Automated workflows where user interaction is not possible
- CI/CD pipelines that need the latest attestation data
- Scripts that require deterministic behavior without prompts
The script supports cryptographic verification of attestations using Cosign before extraction. This ensures that:
- Authenticity: Attestations are signed by trusted entities
- Integrity: Attestations haven't been tampered with
- Identity Verification: Signatures come from expected workflows/identities
Default Verification Settings:
- OIDC Issuer:
https://token.actions.githubusercontent.com(GitHub Actions) - Identity Pattern: Aleph Alpha shared workflows (
https://github.com/Aleph-Alpha/shared-workflows/.github/workflows/(build-and-push|scan-and-attest).yaml@.*)
Custom Verification: You can override the default verification parameters:
# Verify with custom GitHub organization workflows
./cosign-extract.sh --type spdx --image myregistry.com/app:latest --verify \
--certificate-identity-regexp "https://github.com/myorg/.*/.github/workflows/.*"
# Verify with different OIDC issuer
./cosign-extract.sh --type slsa --image myregistry.com/app:latest --verify \
--certificate-oidc-issuer https://accounts.google.com \
--certificate-identity-regexp ".*@mycompany.com"Verification Process:
- Script checks if
cosignis installed - Runs
cosign verify-attestationwith specified parameters - Only proceeds with extraction if verification succeeds
- Displays verification status and details
Verification-Only Mode:
Use --no-extraction to perform verification without extracting content. This is useful for:
- CI/CD pipelines that only need to verify attestation authenticity
- Security audits where you only need to confirm signatures are valid
- Compliance checks without exposing sensitive attestation content
- Quick verification without the overhead of content processing
When --verify --no-extraction is used together, the script optimizes performance by exiting immediately after successful verification, skipping the ORAS discovery and download phases entirely.
# Just verify that SLSA provenance exists and is valid
./cosign-extract.sh --type slsa --image myapp:latest --verify --no-extraction
# Verify all attestations are properly signed
./cosign-extract.sh --image myapp:latest --choice all --verify --no-extractionA dedicated script for verifying container image signatures using Cosign. This tool focuses specifically on image signature verification (not attestations) and supports both keyless and key-based verification methods.
- Multiple Verification Modes: Keyless verification (default), key-based verification, or custom OIDC configurations
- Flexible Identity Matching: Support for exact identity matching or regex patterns
- Signature Extraction: Save signatures and certificates to files for further analysis
- Flexible Output Levels: Configurable verbosity (none, info, verbose) for different use cases
- Non-Failing Mode:
--no-errorflag allows checking signature status without failing on unsigned images - Digest Resolution: Automatically resolves tags to digests for secure verification
- Pre-configured Defaults: Ready-to-use settings for Aleph Alpha workflows
| Mode | Description | Use Case |
|---|---|---|
| Keyless (default) | Uses OIDC identity and transparency log | GitHub Actions, automated workflows |
| Key-based | Uses provided public key file | Traditional key-pair signing |
| Custom Keyless | Custom OIDC issuer and identity patterns | Other CI/CD systems, custom workflows |
Verify with default Aleph Alpha settings:
./cosign-verify-image.sh --image registry.example.com/myapp:latestVerify with custom GitHub organization:
./cosign-verify-image.sh --image registry.example.com/myapp:latest \
--certificate-identity-regexp "https://github.com/myorg/.*/.github/workflows/.*"Verify with specific workflow identity:
./cosign-verify-image.sh --image registry.example.com/myapp:latest \
--certificate-identity "https://github.com/myorg/myrepo/.github/workflows/build.yaml@refs/heads/main"Verify with public key file:
./cosign-verify-image.sh --image registry.example.com/myapp:latest --key cosign.pubVerbose verification with signature extraction:
./cosign-verify-image.sh --image registry.example.com/myapp:latest --output-level verbose \
--output-signature signature.sig --output-certificate cert.pemSilent mode for automation (only exit codes):
./cosign-verify-image.sh --image registry.example.com/myapp:latest --output-level noneCheck if image is signed without failing (useful for discovery):
./cosign-verify-image.sh --image registry.example.com/myapp:latest --output-level none --no-errorUsage:
./cosign-verify-image.sh --image IMAGE[:TAG] [--verify-options]
./cosign-verify-image.sh --image IMAGE[:TAG] --certificate-oidc-issuer ISSUER --certificate-identity-regexp REGEX
./cosign-verify-image.sh --image IMAGE[:TAG] --key KEY_FILE
./cosign-verify-image.sh --image IMAGE[:TAG] --keyless
Options:
--image IMAGE Fully qualified image reference (required)
--certificate-oidc-issuer ISSUER OIDC issuer for keyless verification (default: https://token.actions.githubusercontent.com)
--certificate-identity-regexp REGEX Identity regexp for keyless verification (default: Aleph Alpha workflows)
--certificate-identity IDENTITY Exact certificate identity for keyless verification
--key KEY_FILE Path to public key file for key-based verification
--keyless Use keyless verification (default mode)
--rekor-url URL Rekor transparency log URL (default: https://rekor.sigstore.dev)
--output-signature FILE Save signature to file
--output-certificate FILE Save certificate to file
--output-level LEVEL Output verbosity: none, info (default), verbose
--no-error Return exit code 0 even on verification failure
-h, --help Show this help
- Digest-based Verification: Automatically resolves tags to digests when
craneis available - Transparency Log Integration: Uses Rekor transparency log for keyless verification
- Identity Validation: Strict OIDC identity matching to prevent impersonation
- Comprehensive Error Reporting: Clear feedback on verification failures with troubleshooting hints
Before using these scripts, ensure you have the following tools installed:
- bash (version 4.0 or later)
- jq - JSON processor for parsing and formatting JSON data
- crane - Tool for interacting with container registries
- docker - Container runtime (for registry accessibility checking in k8s-image-scanner.sh)
- cosign - Container signing and verification tool
- trivy - Container vulnerability scanner (for k8s-image-scanner.sh)
- column - Table formatting utility (usually pre-installed on Unix systems)
macOS (using Homebrew):
brew install jq crane cosign trivyUbuntu/Debian:
# Install jq
sudo apt-get update && sudo apt-get install -y jq
# Install crane
curl -sL "https://github.com/google/go-containerregistry/releases/latest/download/go-containerregistry_$(uname -s)_$(uname -m).tar.gz" | tar -xz crane
sudo mv crane /usr/local/bin/
# Install cosign
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
# Install trivy
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin-
Clone this repository:
git clone https://github.com/Aleph-Alpha/support.git cd support -
Make the scripts executable:
chmod +x scanner/k8s-image-scanner.sh cosign-scan-image.sh cosign-extract.sh cosign-verify-image.sh verify-chainguard-base-image.sh
-
Optionally, add the scripts to your PATH or create symlinks in
/usr/local/bin/for system-wide access.
We welcome contributions to improve these support scripts! Please feel free to:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Please ensure your code follows the existing style and includes appropriate error handling and documentation.
This project is licensed under the MIT License - see the LICENSE file for details.
Aleph Alpha researches, develops and deploys sovereign, explainable AI. At the heart of our offering is PhariaAI β a modular AI suite that empowers enterprises and governments to build, customize, and operate their own AI infrastructure to maintain critical digital sovereignty. Instead of renting black-box technology, organizations retain full ownership, independence, and control over their data, processes, and value creation.
Our support scripts are designed to assist customers and the broader community in streamlining workflows and enhancing efficiency when working with containerized applications and security attestation processes. By simplifying complex tasks, optimizing performance, and ensuring compliance, these tools empower users to focus on innovation and secure deployment practices.
For questions, issues, or feature requests, please open an issue in this repository or contact our support team.