{"id":37163537,"url":"https://github.com/sse-secure-systems/connaisseur","last_synced_at":"2026-01-14T19:27:04.150Z","repository":{"id":36980099,"uuid":"285587924","full_name":"sse-secure-systems/connaisseur","owner":"sse-secure-systems","description":"An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster","archived":false,"fork":false,"pushed_at":"2025-11-07T13:03:44.000Z","size":30892,"stargazers_count":461,"open_issues_count":38,"forks_count":62,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-11-07T13:05:28.681Z","etag":null,"topics":["admission-controllers","authentication","container","container-images","cosign","docker","docker-content-trust","image-signature","integrity","kubernetes","notary","provenance","security","signature-verification","sigstore"],"latest_commit_sha":null,"homepage":"https://sse-secure-systems.github.io/connaisseur/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sse-secure-systems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"docs/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-08-06T14:09:13.000Z","updated_at":"2025-11-03T14:49:11.000Z","dependencies_parsed_at":"2023-10-10T20:35:34.168Z","dependency_job_id":"5c38cb19-0d14-4b9e-be04-0a3c0b187315","html_url":"https://github.com/sse-secure-systems/connaisseur","commit_stats":null,"previous_names":[],"tags_count":48,"template":false,"template_full_name":null,"purl":"pkg:github/sse-secure-systems/connaisseur","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sse-secure-systems%2Fconnaisseur","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sse-secure-systems%2Fconnaisseur/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sse-secure-systems%2Fconnaisseur/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sse-secure-systems%2Fconnaisseur/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sse-secure-systems","download_url":"https://codeload.github.com/sse-secure-systems/connaisseur/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sse-secure-systems%2Fconnaisseur/sbom","scorecard":{"id":722676,"data":{"date":"2024-12-13T02:47:48Z","repo":{"name":"github.com/sse-secure-systems/connaisseur","commit":"e7e0698ad4ab33926b658ac29e9408497cc3c7f6"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":7.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":5,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'master'","Info: 'force pushes' disabled on branch 'master'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'master'","Info: 'stale review dismissal' is required to merge on branch 'master'","Warn: required approving review count is 1 on branch 'master'","Warn: codeowners review is not required on branch 'master'","Warn: 'last push approval' is disable on branch 'master'","Info: 'up-to-date branches' is required to merge on branch 'master'","Info: status check found to merge onto on branch 'master'","Info: PRs are required in order to make changes on branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"28 out of 28 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":6,"reason":"project has 2 contributing companies or organizations -- score normalized to 6","details":["Info: sse-secure-systems contributor org/company found, sse secure systems engineering gmbh contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"24 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: containerImage not pinned by hash: build/Dockerfile:1","Warn: containerImage not pinned by hash: build/Dockerfile:15","Warn: containerImage not pinned by hash: test/integration/alerting/Dockerfile:1: pin your Docker image by updating python:3-alpine to python:3-alpine@sha256:657dbdb20479a6523b46c06114c8fec7db448232f956a429d3cc0606d30c1b59","Warn: pipCommand not pinned by hash: test/integration/alerting/Dockerfile:6","Warn: pipCommand not pinned by hash: .github/workflows/.reusable-docs.yaml:38","Info:  36 out of  36 GitHub-owned GitHubAction dependencies pinned","Info:  20 out of  20 third-party GitHubAction dependencies pinned","Info:   1 out of   4 containerImage dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: docs/SECURITY.md:1","Info: Found linked content: docs/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: docs/SECURITY.md:1","Info: Found text in security policy: docs/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: found token with 'none' permissions: .github/workflows/.reusable-build.yml:1","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/.reusable-build.yml:81","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/.reusable-ci.yml:162","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-ci.yml:170","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/.reusable-ci.yml:100","Info: jobLevel 'actions' permission set to 'read': .github/workflows/.reusable-ci.yml:112","Info: jobLevel 'deployments' permission set to 'read': .github/workflows/.reusable-ci.yml:114","Info: jobLevel 'issues' permission set to 'read': .github/workflows/.reusable-ci.yml:115","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-ci.yml:117","Info: jobLevel 'attestations' permission set to 'read': .github/workflows/.reusable-ci.yml:122","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/.reusable-ci.yml:109","Info: jobLevel 'discussions' permission set to 'read': .github/workflows/.reusable-ci.yml:116","Info: jobLevel 'pages' permission set to 'read': .github/workflows/.reusable-ci.yml:118","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/.reusable-ci.yml:119","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/.reusable-ci.yml:111","Info: jobLevel 'repository-projects' permission set to 'read': .github/workflows/.reusable-ci.yml:120","Info: jobLevel 'statuses' permission set to 'read': .github/workflows/.reusable-ci.yml:121","Info: jobLevel 'checks' permission set to 'read': .github/workflows/.reusable-ci.yml:113","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/.reusable-ci.yml:137","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/.reusable-ci.yml:138","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/.reusable-ci.yml:147","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/.reusable-ci.yml:148","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-ci.yml:149","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/.reusable-compliance.yml:48","Info: found token with 'none' permissions: .github/workflows/.reusable-compliance.yml:1","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/.reusable-docs.yaml:24","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-integration-test.yml:37","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-integration-test.yml:110","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-integration-test.yml:174","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-integration-test.yml:230","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-integration-test.yml:287","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/.reusable-publish.yml:24","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/.reusable-publish.yml:61","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/.reusable-sast.yml:65","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-sca.yml:38","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/.reusable-sca.yml:39","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-sca.yml:59","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/.reusable-sca.yml:60","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/.reusable-sca.yml:84","Info: jobLevel 'packages' permission set to 'read': .github/workflows/.reusable-sca.yml:83","Info: jobLevel 'attestations' permission set to 'read': .github/workflows/nightly-build.yaml:30","Info: jobLevel 'checks' permission set to 'read': .github/workflows/nightly-build.yaml:22","Info: jobLevel 'deployments' permission set to 'read': .github/workflows/nightly-build.yaml:23","Info: jobLevel 'issues' permission set to 'read': .github/workflows/nightly-build.yaml:24","Info: jobLevel 'pages' permission set to 'read': .github/workflows/nightly-build.yaml:26","Info: jobLevel 'statuses' permission set to 'read': .github/workflows/nightly-build.yaml:29","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/nightly-build.yaml:17","Info: jobLevel 'actions' permission set to 'read': .github/workflows/nightly-build.yaml:21","Info: jobLevel 'discussions' permission set to 'read': .github/workflows/nightly-build.yaml:25","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/nightly-build.yaml:27","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/nightly-build.yaml:18","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/nightly-build.yaml:20","Info: jobLevel 'repository-projects' permission set to 'read': .github/workflows/nightly-build.yaml:28","Info: jobLevel 'statuses' permission set to 'read': .github/workflows/nightly.yaml:29","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/nightly.yaml:18","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/nightly.yaml:20","Info: jobLevel 'issues' permission set to 'read': .github/workflows/nightly.yaml:24","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/nightly.yaml:27","Info: jobLevel 'checks' permission set to 'read': .github/workflows/nightly.yaml:22","Info: jobLevel 'deployments' permission set to 'read': .github/workflows/nightly.yaml:23","Info: jobLevel 'discussions' permission set to 'read': .github/workflows/nightly.yaml:25","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/nightly.yaml:17","Info: jobLevel 'actions' permission set to 'read': .github/workflows/nightly.yaml:21","Info: jobLevel 'pages' permission set to 'read': .github/workflows/nightly.yaml:26","Info: jobLevel 'repository-projects' permission set to 'read': .github/workflows/nightly.yaml:28","Info: jobLevel 'attestations' permission set to 'read': .github/workflows/nightly.yaml:30","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/pr.yml:22","Info: jobLevel 'deployments' permission set to 'read': .github/workflows/pr.yml:25","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/pr.yml:29","Info: jobLevel 'repository-projects' permission set to 'read': .github/workflows/pr.yml:30","Info: jobLevel 'statuses' permission set to 'read': .github/workflows/pr.yml:31","Info: jobLevel 'issues' permission set to 'read': .github/workflows/pr.yml:26","Info: jobLevel 'discussions' permission set to 'read': .github/workflows/pr.yml:27","Info: jobLevel 'pages' permission set to 'read': .github/workflows/pr.yml:28","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/pr.yml:19","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/pr.yml:20","Info: jobLevel 'actions' permission set to 'read': .github/workflows/pr.yml:23","Info: jobLevel 'checks' permission set to 'read': .github/workflows/pr.yml:24","Info: jobLevel 'attestations' permission set to 'read': .github/workflows/pr.yml:32","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish.yml:25","Info: jobLevel 'deployments' permission set to 'read': .github/workflows/push.yml:25","Info: jobLevel 'discussions' permission set to 'read': .github/workflows/push.yml:27","Info: jobLevel 'repository-projects' permission set to 'read': .github/workflows/push.yml:30","Info: jobLevel 'statuses' permission set to 'read': .github/workflows/push.yml:31","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/push.yml:22","Info: jobLevel 'issues' permission set to 'read': .github/workflows/push.yml:26","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/push.yml:19","Info: jobLevel 'actions' permission set to 'read': .github/workflows/push.yml:23","Info: jobLevel 'pages' permission set to 'read': .github/workflows/push.yml:28","Info: jobLevel 'attestations' permission set to 'read': .github/workflows/push.yml:32","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/push.yml:20","Info: jobLevel 'checks' permission set to 'read': .github/workflows/push.yml:24","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/push.yml:29","Info: jobLevel 'packages' permission set to 'read': .github/workflows/release.yaml:55","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yaml:69","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/release.yaml:31","Info: found token with 'none' permissions: .github/workflows/.reusable-build.yml:1","Info: found token with 'none' permissions: .github/workflows/.reusable-ci.yml:1","Info: found token with 'none' permissions: .github/workflows/.reusable-cleanup-registry.yml:1","Info: topLevel permissions set to 'read-all': .github/workflows/.reusable-compliance.yml:11","Info: found token with 'none' permissions: .github/workflows/.reusable-docs.yaml:1","Info: found token with 'none' permissions: .github/workflows/.reusable-integration-test.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/.reusable-publish.yml:18","Info: found token with 'none' permissions: .github/workflows/.reusable-sast.yml:1","Info: found token with 'none' permissions: .github/workflows/.reusable-sca.yml:1","Info: found token with 'none' permissions: .github/workflows/.reusable-unit-test.yml:1","Info: found token with 'none' permissions: .github/workflows/dockerhub-check.yml:1","Info: found token with 'none' permissions: .github/workflows/nightly-build.yaml:1","Info: found token with 'none' permissions: .github/workflows/nightly.yaml:1","Info: found token with 'none' permissions: .github/workflows/pr.yml:1","Info: found token with 'none' permissions: .github/workflows/publish.yml:1","Info: found token with 'none' permissions: .github/workflows/push.yml:1","Info: found token with 'none' permissions: .github/workflows/release.yaml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v778-237x-gjrc / GO-2024-3321"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T11:50:27.632Z","repository_id":36980099,"created_at":"2025-08-22T11:50:27.633Z","updated_at":"2025-08-22T11:50:27.633Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28432604,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["admission-controllers","authentication","container","container-images","cosign","docker","docker-content-trust","image-signature","integrity","kubernetes","notary","provenance","security","signature-verification","sigstore"],"created_at":"2026-01-14T19:27:03.454Z","updated_at":"2026-01-14T19:27:04.133Z","avatar_url":"https://github.com/sse-secure-systems.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/sse-secure-systems/connaisseur/blob/master/LICENSE)\n[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/connaisseur)](https://artifacthub.io/packages/search?repo=connaisseur)\n[![cicd](https://github.com/sse-secure-systems/connaisseur/actions/workflows/02_push.yml/badge.svg)](https://github.com/sse-secure-systems/connaisseur/actions/workflows/02_push.yml)\n[![nightly](https://github.com/sse-secure-systems/connaisseur/actions/workflows/05_nightly.yaml/badge.svg)](https://github.com/sse-secure-systems/connaisseur/actions/workflows/05_nightly.yaml)\n[![codecov](https://codecov.io/gh/sse-secure-systems/connaisseur/branch/master/graph/badge.svg)](https://codecov.io/gh/sse-secure-systems/connaisseur)\n\n![](docs/assets/connaisseur_fulllogo.svg)\n\n\u003c!-- # Connaisseur --\u003e\n\nA Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster.\n\n**:point_right: The full documentation is available [here](https://sse-secure-systems.github.io/connaisseur/) :book:**\n\n**:point_right: Feel free to reach out via [GitHub Discussions](https://github.com/sse-secure-systems/connaisseur/discussions) :speech_balloon:**\n\n## What is Connaisseur?\n\nConnaisseur ensures integrity and provenance of container images in a Kubernetes cluster.\nTo do so, it intercepts resource creation or update requests sent to the Kubernetes cluster, identifies all container images and verifies their signatures against pre-configured public keys.\nBased on the result, it either accepts or denies those requests.\n\nConnaisseur is developed under three core values: *Security*, *Usability*, *Compatibility*.\nIt is built to be extendable and currently aims to support the following signing solutions:\n\n- [Notary V1](https://github.com/theupdateframework/notary) / [Docker Content Trust](https://docs.docker.com/engine/security/trust/)\n- [Sigstore](https://sigstore.dev/) / [Cosign](https://github.com/sigstore/cosign)\n- [Notary V2](https://github.com/notaryproject/nv2) (PLANNED)\n\nIt provides several additional features such as:\n\n- [Alerting](docs/features/alerting.md): *send alerts based on verification result*\n- [Detection Mode](docs/features/detection_mode.md): *warn but do not block invalid images*\n- [Namespaced Validation](docs/features/namespaced_validation.md): *restrict validation to dedicated namespaces*\n\n\n## Quick start\n\nGetting started to verify image signatures is only a matter of minutes:\n\n![](docs/assets/connaisseur_demo.gif)\n\n\u003e :warning: Only try this out on a test cluster as deployments with unsigned images will be blocked. :warning:\n\nConnaisseur comes pre-configured with public keys for its own repository and [Docker's official images](https://docs.docker.com/docker-hub/official_images/) (official images can be found [here](https://hub.docker.com/search?q=\u0026type=image\u0026image_filter=official)).\nIt can be fully configured via `helm/values.yaml`.\nFor a quick start, clone the Connaisseur repository:\n\n```bash\ngit clone https://github.com/sse-secure-systems/connaisseur.git\n```\n\nNext, install Connaisseur via [Helm](https://helm.sh):\n\n```bash\nhelm install connaisseur helm --atomic --create-namespace --namespace connaisseur\n```\n\nOnce installation has finished, you are good to go.\nSuccessful verification can be tested via official Docker images like `hello-world`:\n\n```bash\nkubectl run hello-world --image=docker.io/hello-world\n```\n\nOr our signed `testimage`:\n\n```bash\nkubectl run demo --image=docker.io/securesystemsengineering/testimage:signed\n```\n\nBoth will return `pod/\u003cname\u003e created`. However, when trying to deploy an unsigned image:\n\n```bash\nkubectl run demo --image=docker.io/securesystemsengineering/testimage:unsigned\n```\n\nConnaisseur denies the request and returns an error `(...) Unable to find signed digest (...)`. Since the images above are signed using Docker Content Trust, you can inspect the trust data using `docker trust inspect --pretty \u003cimage-name\u003e`.\n\nTo uninstall Connaisseur use:\n\n```bash\nhelm uninstall connaisseur --namespace connaisseur\n```\n\nCongrats :tada: you just validated the first images in your cluster!\nTo get started configuring and verifying your own images and signatures, please follow our [setup guide](https://sse-secure-systems.github.io/connaisseur/latest/getting_started/).\n\n## Discussions, support \u0026 feedback\nWe hope to steer development of Connaisseur from demand of the community, are excited about your feedback and happy to help if you need support! So feel free to connect with us via [GitHub Discussions](https://github.com/sse-secure-systems/connaisseur/discussions).\n\n## Contributing\nWe are always excited about direct contributions to improve the tool! Please refer to our [contributing guide](docs/CONTRIBUTING.md) to learn how to contribute to Connaisseur.\n\n## Security policy\n\nWe are grateful for any community support reporting vulnerabilities! How to submit a report is described in our [Security Policy](docs/SECURITY.md).\n\n## Wall of fame\n\nThanks to all the fine people directly contributing commits/PRs to Connaisseur:\n\n\u003ca href=\"https://github.com/sse-secure-systems/connaisseur/graphs/contributors\"\u003e\n  \u003cimg src=\"https://contributors-img.web.app/image?repo=sse-secure-systems/connaisseur\" /\u003e\n\u003c/a\u003e\n\nBig shout-out also to all who support the project via issues, discussions and feature requests :pray:\n\n## Contact\n\nYou can reach us via email under [connaisseur@securesystems.dev](mailto:connaisseur@securesystems.dev).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsse-secure-systems%2Fconnaisseur","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsse-secure-systems%2Fconnaisseur","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsse-secure-systems%2Fconnaisseur/lists"}