SalsaGate
SalsaGate
SalsaGate is a high-performance verification layer that sits on top of your CI/CD. It enforces cryptographic signing, SBOMs, and attestations for every artifact before it reaches production—without slowing your developers down.
SalsaGate is designed as a verification fabric for modern engineering teams: fast, horizontally scalable, and friendly to both platform engineers and auditors.
Instant feedback in CI with cached metadata and stateless verification services.
Handle monorepos and microservices without rewriting how you build or deploy.
Define who can sign, what must pass, and which attestations are mandatory.
Bring your own keys and trust roots. No lock-in to a single signing stack.
SBOMs, test results, and verification logs stored as immutable evidence.
Admission controllers, IDE hints, and evidence explorer for long-term safety.
Get rid of long-lived CI secrets. SalsaGate exchanges short-lived OpenID Connect tokens from GitHub, GitLab, and cloud providers for scoped sessions.
permissions:
id-token: write
contents: read
- name: SalsaGate OIDC
run: salsagate auth oidc \
--provider github \
--aud salsagate.ioUse SalsaGate’s identity as the bridge into cloud roles.
aws sts assume-role-with-web-identity \
--role-arn arn:aws:iam::123456789012:role/SalsaGateRole \
--web-identity-token $SALSAGATE_ID_TOKEN \
--role-session-name salsa-ciRequire signatures, SBOMs, and test attestations before a release is allowed to ship.
- name: SalsaGate Verify
run: salsagate verify \
--artifact dist/app.tar.gz \
--policy strictBlock non-compliant workloads in production clusters using admission policies.
kubectl label ns production salsagate/policy=strict
# unsigned images rejected by webhookExport machine-verifiable bundles for SOC 2, ISO 27001 and internal change boards.
salsagate export evidence \
--days 30 \
--out evidence.jsonEnsure Terraform plans are generated in CI and signed by recognized identities.
terraform plan -out tfplan.bin
cosign sign-blob --key $COSIGN_KEY tfplan.bin
salsagate verify \
--artifact tfplan.bin \
--policy infraSalsaGate includes an MCP (Model Context Protocol) server that enables AI assistants like Claude to install, configure, and manage your supply chain security—just by asking.
MCP is an open standard that enables secure, two-way connections between AI tools and your infrastructure. Instead of manually configuring files, simply tell Claude what you need.
Add to your Claude Desktop config:
{
"mcpServers": {
"salsag-mcp": {
"command": "uvx",
"args": [
"--from",
"git+https://github.com/tanishk97/salsaG-installation#subdirectory=salsag-mcp",
"salsag-mcp"
]
}
}
}Just ask Claude:
Collaborate with other platform teams, share policies, and build a safer supply chain together.
Drop SalsaGate into your pipeline and start enforcing policies right away.
curl -sSL https://raw.githubusercontent.com/tanishk97/salsaG-installation/main/install.sh | bash -s -- \
--staging-bucket YOUR_BUCKET \
--website-bucket YOUR_SITE \
--region us-east-1git clone https://github.com/tanishk97/salsaG-installation.git
cd salsaG-installation
./install.sh --interactivepip install git+https://github.com/tanishk97/salsaG-installation#subdirectory=salsag-cli
salsaG verify --artifact index.tgz --config salsag.yml