Decorative background with stylized Fluent Bit logo

Improving Fluent Bit Supply Chain Security with Cosign from OpenSSF

Written by Patrick Stephens in Fluent Biton January 19, 2023

Improving Fluent Bit Supply Chain Security with Cosign from OpenSSF

This is a quick follow-up to a previous post covering some of the improvements Calyptia is making as the maintainers of Fluent Bit. We have been signing the Fluent Bit official container images with Cosign for a while now, and recently we added it to the OpenSSF landscape to publicize this fact.

What is Cosign?

The OpenSSF (Open Source Software Security Foundation) provides lots of useful tooling to improve supply chain security for open source projects. One of these tools is the sigstore project which “allows developers to securely sign software artifacts” and the Cosign tooling specifically to sign OCI (container) images.

Signing the Fluent Bit container images with Cosign ensures that users can verify that the image they are using is the official one built and provided by the Fluent Bit project. Full details on verifying the signature can be found in the documentation.

This follows a similar approach to the GPG signing we (and package developers in general) have provided for native Linux packages (RPM/DEB) as well as the repository metadata itself which is required for various more secure platforms (e.g. FIPS compliance).

We encourage anyone using OSS to get projects added to the OpenSSF if they can contribute in that way.


Another useful project provided by the OpenSSF is the gitsign tooling. Gitsign simplifies signed commit handling and helps prevent some of the possible attacks with standard GPG keys. We would also encourage anyone using Git to adopt it.

You might also like

Illustration including logos of Fluent Bit, Slack, and Elastic

Enforcing structured logging across applications using Fluent Bit

In this article, we will leverage Fluent Bit’s log processing capabilities to ensure consistent structured logging across applications using two different methods. In addition, we demonstrate how to send alerts to Slack when the logs are not properly formatted.

Continue reading
Fluent Bit: Alerting via Slack when log destination is unreachable

Fluent Bit: Alerting via Slack when the log destination is unreachable

Learn how to use Fluent Bit to identify irregularities in the data pipeline as they occur and send alerts to Slack

Continue reading
Abstract design

Scaling ARM builds with Actuated

Calyptia fixed its failing Arm builds for open-source Fluent Bit and accelerated our commercial development by adopting Actuated and bare-metal runners.

Continue reading