Sigstore / provenance
rekor-monitor
Transparency-log monitoring for Sigstore's Rekor so maintainers can watch for suspicious signing events.
View on GitHub
sigstore/rekor-monitor
Best for
Alerting on compromised release identities instead of discovering problems after distribution.
Surface
Sigstore / provenance
Catalog group
Verify supply chains and enforce engineering policy
Repository
sigstore/rekor-monitor
From the README
Rekor Log Monitor provides an easy-to-use monitor to verify log consistency, that the log is immutable and append-only. Monitoring is critical to the transparency log ecosystem, as logs are tamper-evident but not tamper-proof. Rekor Log Monitor also provides a monitor to search for identities within a log, and send a list of found identities via various notification platforms.Read the full README on GitHub ↗
Related tools · Verify supply chains and enforce engineering policy
- It-Depends Dependency-graph and SBOM builder for packages and arbitrary source repositories.
- cargo-unmaintained Identifies unmaintained packages in Rust projects before they quietly become inherited risk.
- Dylint Runs custom Rust lints from dynamic libraries rather than a single fixed lint set.
- semgrep-rules Public Semgrep queries developed during audits, research, and internal engineering work.
- codeql-queries Public CodeQL query packs used to express deeper code and data-flow policies.