Anonymous View
Skip to content

cupofpython/integrity-check

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.github/workflows
.github/workflows
 
 
Dockerfile.cg
Dockerfile.cg
 
 
Dockerfile.dh
Dockerfile.dh
 
 
README.md
README.md
 
 
RELEASE.md
RELEASE.md
 
 
action.yml
action.yml
 
 
image-policy.json
image-policy.json
 
 

Repository files navigation

Integrity Check

Description

This repo provides a GitHub action meant to be incorporated into build pipelines to check for the integrity of base images in Dockerfiles. It detects if there are signatures from trusted signers associated with base images, and fails if there is not. Trusted signers are specified in the image-policy.json file.

The presence of a cryptographic signature from a trusted signer indicates the authenticity of an image. Cosign signs images with ephemeral keys by authenticating with an OIDC protocol. This bakes authenticity into the signing process.

How to Use

You can plug-and-play the GitHub action into your pipeline like so:

- uses: cupofpython/integrity-check@v1
        with:
          dockerfile: Dockerfile # or path to your Dockerfile
          policy-file: image-policy.json # or path to your policy file

About

A re-usable GitHub action to check the integrity of your software supply chain on each image build

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v1.1.0 Latest
Mar 17, 2026
+ 1 release

Packages

 
 
 

Contributors