Cloudythings Blog

Signing More Than Containers: Sigstore for IaC, Pipelines, and Policies

Extend Sigstore beyond container images to secure Terraform plans, Kubernetes manifests, and pipeline automations without burning out developers.

August 23, 2022 at 09:23 AM EST 11 min read
SigstoreSupply Chain SecurityInfrastructure as CodeCI/CDPolicy as Code
Engineer pairing while reviewing signed artifacts in a pipeline dashboard
Image: Kevin Bhagat / Unsplash

Supply-chain security headlines went mainstream in 2021. SolarWinds, Codecov, and dependency hijacks forced every platform leader to ask, “What can I trust?” Sigstore erupted as a response: keyless signing of container images, backed by transparency logs. Chainguard, Google, and the Linux Foundation evangelized it across Medium, KubeCon, and countless podcasts. Many teams adopted Cosign for containers—but stopped there. The pipeline still promoted unsigned Terraform plans, Helm charts, and policy bundles.

At Cloudythings we treat signing as a holistic discipline. This post explains how we extended Sigstore across the pipeline: Terraform, Kubernetes manifests, GitHub Actions, and OPA policies. The goal is not compliance theatre; it is to build a trail of authenticity that secures production changes without slowing developers.

Establish a signing trust model

We start by mapping artifact types and their trust requirements:

  • Container images executing production code.
  • Infrastructure definitions (Terraform, Pulumi).
  • Kubernetes manifests promoted through GitOps.
  • Policy bundles (OPA, Kyverno) enforcing guardrails.
  • Pipeline automations (GitHub Actions, Tekton tasks) with access to critical secrets.

For each, we define signing subjects (“which identity is allowed to sign?”), verification policy, and storage location.

Embrace keyless workflows

Sigstore’s killer feature is keyless signing via workload identity. We configure:

  • GitHub Actions OIDC trust relationships so Cosign can request Fulcio certificates on-demand.
  • GCP Workload Identity Federation (or AWS IAM Roles Anywhere) for non-GitHub pipelines.
  • SPIFFE IDs for on-prem systems, aligning with the patterns described by the CNCF SPIFFE/SPIRE working group.

No long-lived private keys exist. Revoking access means rotating workload identities, not chasing YubiKeys.

Platform engineer signing artifacts through a pipeline dashboard
Photo by Christopher Gower on Unsplash. Signing is another pipeline stage, not an afterthought.

Sign Terraform plans

Terraform may be declarative, but apply-time drift is real. We:

  1. Run terraform plan in CI.
  2. Serialize the plan (terraform show -json plan.out > plan.json).
  3. Sign the JSON with Cosign: cosign sign-blob --key k8s://sigstore/system/terraform gh://repo//envs/prod plan.json.
  4. Store signatures and plan blobs in an S3 bucket with retention aligned to audit policies.

At apply time, we verify signatures before executing. If the signature is missing or the signer identity mismatches, the pipeline halts. This pattern mirrors the “signed plans” approach described by HashiCorp engineers at HashiConf 2022.

Verify GitOps manifests

GitOps gives us a tidy promotion path, but manifests still need provenance. We:

  • Sign manifests (or Kustomize bundles) during the promotion PR using cosign sign-blob.
  • Store signatures in Rekor and annotate the Git commit with a Rekor UUID.
  • Configure Argo CD’s oidc-tokens feature and policy controller to verify signatures before applying manifests. We leaned heavily on documentation from the Sigstore policy-controller project and the Argo CD maintainers’ blog posts.

Bonus: When a manifest fails verification, Argo CD marks the application as OutOfSync and our alerting fires. Incident responders know immediately that provenance failed.

Secure OPA/Kyverno policies

Guardrails can be tampered with too. We treat policies like code:

  • Bundle Rego and Kyverno manifests via opa build and kyverno bundle.
  • Sign bundles with Cosign; publish to OCI registries (policy-as-container).
  • Configure Gatekeeper/Kyverno to verify signatures on admission. Kyverno’s verifyImages rule works on policy bundles with minimal tweaks.

This pattern was inspired by Styra’s policy distribution blog and Red Hat’s work on policy OCI artifacts.

Harden pipelines

GitHub Actions used to run arbitrary third-party actions. Now:

  • We pin actions with digest-based references and verify Sigstore attestations published by the maintainers (GitHub’s reusable workflows support this).
  • Self-hosted runners validate signed job definitions before execution. Tekton Chains and GitHub’s Artifact Attestations help here.
  • We record attestations describing how artifacts were built (SLSA v1.0 provenance), leaning on projects like slsa-github-generator.

Developers still write YAML, but the pipeline ensures it executes trustworthy code.

Make verification painless

Signing without easy verification breeds resentment. We provide:

  • CLI tooling (ct verify artifact) that wraps Cosign verification logic and prints human-readable summaries.
  • Backstage plugins showing signature status for services, IaC modules, and policies.
  • Pipeline annotations that link to Rekor entries and display signer identities.

People trust what they can inspect without a security PhD.

Audit and incident response

During an incident, provenance is gold. We automate:

  • Incident bot enrichment: When responders open a PagerDuty incident, the bot pulls the last applied manifest, Terraform plan, and policy bundle along with signer identities.
  • Tamper alerts: If verification fails or signatures are missing, we trigger high-severity alerts. Supply-chain compromises demand immediate attention.
  • Audit packs: Compliance teams get a packaged report (JSON + PDFs) detailing signatures, Rekor logs, and SLSA attestations for every production change.

The approach mirrors stories from Shopify’s engineering blog and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) guidance on software supply-chain assurance.

Developer experience still matters

We guard against “security tax” by:

  • Automating everything—developers do not call Cosign manually.
  • Failing fast—pipelines verify locally before pushing to Rekor.
  • Educating—we host 30-minute sessions explaining what Rekor, Fulcio, and SLSA actually do, demystifying the tooling.

Teams appreciate security when it keeps them shipping safely rather than slowing them down.

Signing everything is not paranoia. It is about building a reliable chain of custody so you know who changed what, when, and how. Sigstore gives the primitives. With thoughtful automation, policy integration, and developer empathy, you can extend it far beyond containers—and finally sleep through the next supply-chain headline.