Supply Chain Attestation
Prove what built your software and that it wasn't tampered with.
Runtimekindle generates SLSA L2 provenance records for every build artifact, integrates with Sigstore cosign for cryptographic signing, and enforces K8s admission policies that block unattested workloads from deploying.
Provenance Chain
From source commit to deployed artifact — fully attested
SLSA L2 provenance generation
Every build produces a signed SLSA Level 2 provenance record containing: builder identity, source commit SHA, build commands, and artifact digests. Records are stored in Rekor (the Sigstore transparency log) for independent verification.
Sigstore cosign integration
Artifacts are signed using Sigstore's keyless cosign workflow — no key management required. Signatures are tied to a short-lived OIDC-issued certificate from your CI identity (GitHub Actions OIDC, GitLab CI token), not a long-lived secret key.
K8s admission policy enforcement
The Runtimekindle admission webhook enforces: only images with a valid cosign signature from your CI identity may deploy. Works with OPA Gatekeeper and Kyverno. No attestation = deploy blocked. No exceptions, no manual override.
Compliance evidence export
Export provenance records in formats accepted by SOC 2 auditors, FedRAMP reviewers, and enterprise security questionnaires. Runtimekindle generates the evidence — your team doesn't write spreadsheets to prove where software came from.
SLSA L2 provenance on your next build.
Add the GitHub Action, push a build, and your artifact is attested. No key management, no infrastructure changes.