Cosign is a container signing and verification tool. Part of Sigstore — a project under the Cloud Native Computing Foundation (CNCF) umbrella aimed at simplifying software signing and transparency — Cosign supports not only Docker and Open Container Initiative (OCI) images but also other artifacts that can be stored in a container registry. We previously talked about Docker Notary, which also operates in this space; Notary v1, however, has some disadvantages: it's not registry native and needs a separate Notary server. Cosign avoids this problem and stores the signatures in the registry next to an image. It currently has integrations with GitHub actions and Kubernetes using a Webhook with further integrations in the pipeline. We've used Cosign in some of our projects and it looks quite promising.
