chains

Pipelines

A Kubernetes controller that signs Tekton TaskRun and PipelineRun results, producing SLSA‑compatible attestations for supply chain security

Track releases GitHub

Go Latest v0.27.0 · 6d ago Security brief →

Features

Signs `TaskRun` and `PipelineRun` execution snapshots with user‑provided cryptographic keys
Generates attestation formats such as SLSA v1 provenance
Supports multiple key types (x509, KMS) and storage backends for signatures

Recent releases

View all 5 releases →

No immediate action

v0.27.0 Mixed 6d

OpenTelemetry, insecure OCI, CI fix

Open

v0.26.3 Security relevant 1mo

Security fixes

CVE-2026-34986
CVE-2026-33211
CVE-2026-33186

Full changelog

-Docs @ v0.26.3
-Examples @ v0.26.3

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719

Obtain the attestation:

REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.26.3/release.yaml
REKOR_UUID=108e9186e8c5677a48f46d165fc47afed5b254fe710ca6cc3d34f49019f2e53df43d1417a0877719

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.26.3@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Security Fixes

:hammer: [Release-v0.26.x] fix: CVE-2026-34986, CVE-2026-33211, & CVE-2026-33186 (#1630)

Thanks

Thanks to these contributors who contributed to v0.26.3!

:heart: @anithapriyanatarajan
:heart: @infernus01

Extra shout-out for awesome release notes:

:heart_eyes: @anithapriyanatarajan
:heart_eyes: @infernus01

View release on GitHub

v0.25.2 Security relevant 1mo

Security fixes

CVE-2026-34986
CVE-2026-33211
CVE-2025-66506

Full changelog

Tekton Chains release v0.25.2

-Docs @ v0.25.2
-Examples @ v0.25.2

Installation one-liner

kubectl apply -f https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml

Attestation

The Rekor UUID for this release is 108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89

Obtain the attestation:

REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89
rekor-cli get --uuid $REKOR_UUID --format json | jq -r .Attestation | jq .

Verify that all container images in the attestation are in the release file:

RELEASE_FILE=https://infra.tekton.dev/tekton-releases/chains/previous/v0.25.2/release.yaml
REKOR_UUID=108e9186e8c5677ab39e35345194182802c6ea869f22ef31abb1d6cdeec12ef05964cb1b7580de89

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.25.2@sha256:" + .digest.sha256')

# Download the release file
curl -L "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done

Changes

Features

Fixes

Misc

:hammer: [release-v0.25.x] fix: ci action for release branch (#1632)
:hammer: [Release-v0.25.x] fix: CVE-2026-34986, CVE-2026-33211, CVE-2025-66506, & CVE-2026-33186 (#1631)

Docs

Thanks

Thanks to these contributors who contributed to v0.25.2!

:heart: @anithapriyanatarajan
:heart: @infernus01

Extra shout-out for awesome release notes:

:heart_eyes: @anithapriyanatarajan
:heart_eyes: @infernus01

View release on GitHub

v0.26.2 Security relevant 3mo

Security fixes

Dependency updates address CVE-2026-24137

View release on GitHub

v0.26.1 Security relevant 3mo

Security fixes

cosign upgrade to 2.6.2 addresses CVE-2025-66564 and CVE-2025-66506
CVE-2025-66506
CVE-2025-66506

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Releases

View all →

Releases per month

Cadence 2.0 / wk

Last release 4d

Tracked 5

Security

Full profile →

Security score 8.5/10

OpenSSF 6.9/10

Open CVEs 0

Active maintainer

Community

GitHub stars 271

Forks 157

Open issues 72

Open PRs 11

Stars/wk velocity 0.0

About

Stars

271

Forks

157

Languages

Go Shell Makefile

View on GitHub

Install & Platforms

Install via

shell-script

Community & Support

Slack Community

Similar tools

perplexityai/bumblebee

About

Stars

271

Forks

157

Languages

Go Shell Makefile

View on GitHub

Install & Platforms

Install via

shell-script

Community & Support

Slack Community

Similar tools

perplexityai/bumblebee