An organization wants to implement supply chain security by signing all container images and verifying them before deployment. Which combination of tools is appropriate?
Cosign signs and verifies images, and Kyverno can enforce admission policies to require signatures.
Why this answer
Cosign is used for signing and verifying images. Kyverno or OPA/Gatekeeper can enforce verification policies. The correct combination is Cosign for signing and Kyverno for enforcement.
Trivy and Syft are for scanning and SBOM, not signing. Notary is another signing tool, but Cosign is more common.