The Kubescape project manages this document in the central project repository.

Go to the centralized SECURITY.md

All Helm chart releases published from this repository include a signed provenance attestation generated using GitHub Artifact Attestations (keyless signing via GitHub OIDC + Sigstore).

Download the chart tarball from the releases page, then verify its provenance with the GitHub CLI:

gh attestation verify kubescape-operator-<version>.tgz \
  --repo kubescape/helm-charts

A successful verification confirms the artifact was built by a GitHub Actions workflow within this repository and that the content matches what was produced at build time.

What attestation does NOT prove: Attestation verifies build origin and provenance only. It does not guarantee that all tests passed, that the code was reviewed, or that the release is free of vulnerabilities. Always review the release notes and the relevant security advisories.

To additionally confirm the artifact was produced by the specific release workflow (not just any workflow in this repository), add --signer-workflow:

# For standard releases (with E2E tests):
gh attestation verify kubescape-operator-<version>.tgz \
  --repo kubescape/helm-charts \
  --signer-workflow kubescape/helm-charts/.github/workflows/03-helm-release.yaml

# For releases published without E2E tests:
gh attestation verify kubescape-operator-<version>.tgz \
  --repo kubescape/helm-charts \
  --signer-workflow kubescape/helm-charts/.github/workflows/04-helm-release-no-tests.yaml

All attestations are publicly visible at github.com/kubescape/helm-charts/attestations.