Product · Security

Verify yourself.

Every artifact we ship is cosign-signed against a publicly verifiable key. Nothing about our supply chain depends on you trusting our marketing copy. Run the verification command below; the output is the proof.

Run this on your machine

$ cosign verify --key cosign.pub ghcr.io/trustacks/runner:latest

A successful verification confirms the artifact was signed by TruStacks and has not been tampered with since.

What we sign and why.

Signed Rego policy bundles
Constitution and customer overlay are both cosign-signed. An init-container verifies the bundle before the workload extracts it. If the signature fails, the workload does not start.
Runner image SBOM + cosign signing
The runner image ships with a Software Bill of Materials and a cosign signature against a publicly verifiable key. Production push + keyless OIDC arrive with our GCP rollout.
No production credentials in agent hands
The agent crew opens pull requests against a separate platform repo. ArgoCD or Flux deploys merged PRs. Credentials never leave your environment, and there is no autonomous merge path.

Want a deeper supply-chain walkthrough?

We’ll show you the signing pipeline, the SBOM contents, and how the init-container verifies the bundle before workloads start.

Talk to sales How policy works

Verify yourself.

What we sign and why.

Signed Rego policy bundles

Runner image SBOM + cosign signing

No production credentials in agent hands

Want a deeper supply-chain walkthrough?