Integrate Cosign with Vulnetix. Sign container images and attach SBOM attestations using Sigstore's keyless signing infrastructure. Extract the SBOM from attestations for Vulnetix upload.
Container images and artifactsCLI toolCycloneDXSPDX
Install & scan
$ # Go install (Go 1.20+) go install github.com/sigstore/cosign/v3/cmd/cosign@latest # Homebrew (macOS/Linux) brew install cosign # Binary download curl -O -L https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 sudo mv cosign-linux-amd64 /usr/local/bin/cosign && sudo chmod +x /usr/local/bin/cosign # GitHub Actions - uses: sigstore/cosign-installer@main $ # Attach an SBOM to a container image (keyless, in CI) cosign attest --type spdx --predicate sbom.spdx.json my-registry/my-image:latest # Attach a CycloneDX SBOM cosign attest --type cyclonedx --predicate sbom.cdx.json my-registry/my-image:latest
Run Cosign in CI
Scan on every push and upload the results to Vulnetix:
permissions:
id-token: write
packages: write
- name: Install Cosign and Syft
uses: sigstore/cosign-installer@main
- name: Generate SBOM
run: syft $IMAGE_URI -o spdx-json=sbom.spdx.json
- name: Sign image and attach SBOM
run: |
cosign sign $IMAGE_URI
cosign attest --type spdx --predicate sbom.spdx.json $IMAGE_URI
- name: Upload SBOM to Vulnetix
run: vulnetix upload --file sbom.spdx.json
Centralise Cosign results in Vulnetix
Upload Cosign CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.