SigPolicy

SigPolicy is a web app + CLI that enforces cryptographic signing policies across your software supply chain. It plugs into GitHub Actions/GitLab CI and blocks releases when artifacts aren’t signed, are signed with deprecated algorithms, use short keys, or lack required attestations (SLSA provenance, SBOM linkage). Teams define rules like “all containers must be signed with Sigstore keyless and verified against OIDC identity” or “Windows binaries must be Authenticode-signed with EV cert and timestamped.” It provides a simple policy-as-code editor, audit trails, and a dashboard showing compliance by repo, environment, and release. This isn’t a general security scanner; it’s a narrow gatekeeper focused on cryptographic integrity and verifiable identity. Realistically, it wins only if it’s painless to adopt and reduces release risk without slowing developers down.