Security
Verification of container images
Grafana-operator container images are signed by cosign using identity-based (“keyless”) signing and transparency. Executing the following command can be used to verify the signature of a container image:
To verify the grafana-operator run
Pre-requirement
- cosign v2.0.0 or higher installation instructions.
cosign verify ghcr.io/grafana/grafana-operator@<version> \
--certificate-identity-regexp 'https://github\.com/grafana/grafana-operator/\.github/workflows/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
For example
cosign verify ghcr.io/grafana/grafana-operator@v5.6.1 \
--certificate-identity-regexp 'https://github\.com/grafana/grafana-operator/\.github/workflows/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
SBOM
As a part of our release cycle we also generate SBOMs. You can find them as artifacts in our supported repositories.
To download the sbom you can run
cosign download sbom --platform linux/amd64 ghcr.io/grafana/grafana-operator:<version>
example:
cosign download sbom --platform linux/amd64 ghcr.io/grafana/grafana-operator:v5.6.1