Docker image signing (Cosign), SBOM generation, SLSA provenance attestation, GHCR registry management.
Install
mkdir -p .claude/skills/supply-chain-security && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/14519" && unzip -o skill.zip -d .claude/skills/supply-chain-security && rm skill.zipInstalls to .claude/skills/supply-chain-security
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Docker image signing (Cosign), SBOM generation, SLSA provenance attestation, GHCR registry management.102 charsno explicit “when” trigger
About this skill
Supply Chain Security (RESTO BOT)
Docker image pipeline
- Build:
project/.github/workflows/build-push-artifacts.yml - Registry: GitHub Container Registry (GHCR)
- Images built: gateway, admin-dashboard, kiosk-app, cms (Strapi)
Signing and attestation
- Cosign: Image signing with key pair
- Secrets: COSIGN_PASSWORD, COSIGN_PRIVATE_KEY (GitHub Actions secrets)
- Verify:
cosign verify --key cosign.pub <image>
- SBOM: Software Bill of Materials generated per build
- SLSA Provenance: Attestation for build reproducibility
SHA-pinning policy
- All GitHub Actions must use SHA-pinned references
- Example:
uses: actions/checkout@sha256:...(not@v4) - Enforced in CI lint step
Version consistency
N8N_VERSIONmust match across:project/.envproject/.github/workflows/ci.ymlproject/.github/workflows/security-scan.yml
- Base images pinned in Dockerfiles and compose
Image inventory
| Image | Source | Signed |
|---|---|---|
| nginx:1.27-alpine | Docker Hub | N/A (upstream) |
| n8n:1.80.0 | docker.n8n.io | N/A (upstream) |
| postgres:15-alpine | Docker Hub | N/A (upstream) |
| redis:7-alpine | Docker Hub | N/A (upstream) |
| traefik:v3.6.6 | Docker Hub | N/A (upstream) |
| ollama:0.6.2 | Docker Hub | N/A (upstream) |
| gateway (custom) | GHCR | Cosign |
| admin-dashboard (custom) | GHCR | Cosign |
| kiosk-app (custom) | GHCR | Cosign |
| cms (custom) | GHCR | Cosign |
Key files
project/.github/workflows/build-push-artifacts.ymlproject/.github/workflows/security-scan.yml(Trivy)project/admin-dashboard/Dockerfileproject/kiosk-app/Dockerfileproject/inventory-cms/Dockerfile
Required output
- Signing verification evidence
- SBOM generation confirmation
- SHA-pin audit for GitHub Actions
- Version consistency check