Do we need both OPA/Gatekeeper and Kyverno?

Pick one for admission control; both are solid. Kyverno has a friendlier YAML DSL (and verifyImages for Cosign). Gatekeeper is great if you’re already deep into Rego. Many teams start with Kyverno policies and keep OPA/Rego for non-K8s checks via conftest.

How do we handle legacy services that can’t be rebuilt for signing?

Wrap them with signed deployment manifests and a Kyverno/Gatekeeper policy that enforces signatures on the wrapper images or Helm charts. Add a timeboxed waiver and a remediation plan. Prioritize migrating these to signed images over time.

Won’t scanning and signing slow down our pipeline?

If you push everything into the PR path, yes. Keep PR checks under 5 minutes and run heavier scans on main. Cache dependencies, scan only changed modules, and parallelize image scans. Signing and attestation themselves are fast (seconds) with keyless Cosign.

Where should we store evidence?

Use your OCI registry (ECR/GHCR/Harbor) for SBOMs, signatures, and attestations—they travel with the artifact. Keep reports in your artifact store and link them in tickets/GRC. Export policy decision logs to your SIEM for searchability.

How do we prove to auditors that the cluster enforces policies?

Show the admission policies (Kyverno/Gatekeeper), logs of rejections, and successful verification commands (`cosign verify`). Provide links to the exact policies in Git with change history and approvals. That forms your automated proof.

What about AI-generated code sneaking in risky dependencies?

Require SBOMs for every build, block unknown or disallowed licenses, and diff SBOMs in PRs. It’s the fastest way to catch surprise transitive deps from AI-generated code. We’ve added these checks during vibe code cleanup engagements with minimal disruption.

Security-compliance · Dec 2, 2025 · 10 minute read

The Release That Survived the Audit: OPA, Cosign, and Attestations in Your CI/CD

Turn policies into enforceable guardrails, generate automated proofs, and keep shipping without getting your sprint hijacked by compliance.

Back to all posts

The Release That Survived the Audit: OPA, Cosign, and Attestations in Your CI/CD

Key takeaways

Implementation checklist