“It’s like an AirTag for your code”
Use Endor Labs to sign packages and containers with detailed metadata that enables admission controls and traceability to support effective security, quality, and compliance programs.
Where has your code been?
With artifact signing, you can trace the origin of artifacts deployed in production, confirming that they followed secure development practices for compliance attestation or speeding up incident response.
Artifact signing with Endor Labs includes critical information such as the corresponding source code repository, branch, code commit, and repository owner.
Speed up the investigative process by verifying that the affected artifacts are valid.
Identify where affected code is running in their environment so it can be upgraded / replaced.
Ensure that no new instances of a vulnerable version can ever be deployed.
Quickly connect the affected artifacts to the responsible teams for deeper investigation and correction.
Draw a bright line to the code, package, and configuration repositories the artifacts belong to, and quickly determine what controls and tools ran in the pipeline.
Code signing vs Artifact signing
Code signing
Is providing a trusted cryptographic signature on executable code. It can establish that an authority has approved the release of a particular component. When code is signed, you can have high confidence that the code was created and distributed by the person or organization (or other entity) that signed it, and you can apply automation that makes sure you’re only running code distributed by entities you trust.
Artifact signing
Expands the concept of code signing beyond applications and their components to any artifact you might produce. This means you can get the benefits of being able to verify the source of not only the code, but things like a complete container, system configuration files, media assets—in short, whatever you’re willing to sign and verify.
In other words, artifact signing includes all of your code, but code signing doesn’t include all of your artifacts.
Why not use Sigstore?
Many organizations start by exploring Sigstore but encounter a significant problem. To use Sigstore, they have to make a tradeoff: Use a publicly-viewable transparency log or deal with the complexity of deploying and managing the necessary infrastructure to implement Sigstore at scale. With Endor Labs, you don’t have to choose. We offer an option that’s both private and simple.
Private
Control access to signature and verification data, eliminating worries of exposing sensitive metadata to competitors or adversaries.
Seamless
No new identity system to manage. Use your existing SSO identities for keyless authentication at both signing and verification points.
Simple
A few lines of configuration in your pipelines is all it takes to begin signing artifacts; no new infrastructure or complex key management to maintain