Chainguard Guardener Actions Security
Configure Chainguard Guardener to recommend and migrate your GitHub Actions to Chainguard's hardened, SHA-pinned …
For the complete documentation index, see llms.txt.
The Commit Verification feature verifies that every commit in a pull request is cryptographically signed by an authorized signer, according to a policy you control. This ensures that changes to your codebase come from identities you trust, and it supports both keyless (Sigstore) signatures and static keys such as GPG.
Keyless commit signatures are verified using gitsign and Sigstore. Static key authorities (such as GPG) are verified directly against the key material you supply, without gitsign.
Add a .chainguard/source.yaml file to your repository that defines one or more authorities. A commit is accepted if it satisfies any of the listed authorities.
spec:
authorities:
- keyless:
url: https://fulcio.sigstore.dev
identities:
- subjectRegExp: .+@example.com$
issuer: https://accounts.google.com
ctlog:
url: https://rekor.sigstore.devThe example above accepts commits signed with keyless Sigstore signatures where the signer’s identity is an @example.com address authenticated through Google.
A keyless authority verifies short-lived certificates issued by a Sigstore certificate authority (Fulcio) and logged in a transparency log (Rekor). Use identities to constrain which signer identities are trusted. The fields in the example above are:
keyless.url — the Fulcio instance that issued the signing certificate.keyless.identities — one or more identity constraints. Each entry matches the certificate’s subject and issuer.subjectRegExp — a regular expression the signer’s subject (for example, an email address) must match. Use subject for an exact match instead.issuer — the OIDC issuer that authenticated the signer (for example, https://accounts.google.com). Use issuerRegExp for a pattern match.ctlog.url — the transparency log (Rekor) instance used to verify the signature was logged.A key authority verifies signatures made with a static key, such as GPG. This is useful for accepting commits signed by well-known keys — for example, GitHub’s own web-flow key used when merging in the web UI:
spec:
authorities:
- key:
kms: https://github.com/web-flow.gpgBecause a commit is accepted if it satisfies any authority, you can allow several trusted sources at once. The following policy accepts commits signed either by an @example.com Sigstore identity or by GitHub’s web-flow key:
spec:
authorities:
- keyless:
url: https://fulcio.sigstore.dev
identities:
- subjectRegExp: .+@example.com$
issuer: https://accounts.google.com
ctlog:
url: https://rekor.sigstore.dev
- key:
kms: https://github.com/web-flow.gpg| Field | Purpose |
|---|---|
spec.authorities | List of authorities. A commit is accepted if it satisfies any one of them. |
spec.authorities[].keyless.url | Fulcio instance that issued the signing certificate. |
spec.authorities[].keyless.identities[].subjectRegExp | Regular expression the signer’s subject must match. |
spec.authorities[].keyless.identities[].issuer | OIDC issuer that authenticated the signer. |
spec.authorities[].ctlog.url | Transparency log (Rekor) instance used to verify the signature. |
spec.authorities[].key.kms | Reference to a static key (for example, GPG) used to verify signatures. |
.chainguard/ configuration model.Last updated: 2026-07-08 00:00