Yesterday, GitHub announced an important new security feature called GitHub Artifact Attestations. It's powered by sigstore (a technology created by our CTO, Luke Hinds) and it helps developers generate and verify signed attestations for anything made with GitHub Actions.
We participated in the private beta for this and have already integrated support into Minder. Specifically, you can now use Minder to apply enhanced security policies using the contents of these signed attestations—for example, validating SBOM data like licenses, or verifying the results of an attested security scan.
Here are some more details on this feature, and tutorials on how to verify signed attestations and apply policies using attestation data in Minder: More info here