SalsaGate
The Next-Gen Supply-Chain Security Layer

SalsaGate is a high-performance verification layer that sits on top of your CI/CD. It enforces cryptographic signing, SBOMs, and attestations for every artifact before it reaches production—without slowing your developers down.

Verification Latency

< 150ms

Artifacts / Day

10K+

Policies Enforced

500+

Orgs Secured

120+

Works with GitHub Actions GitLab CI Jenkins Kubernetes Terraform AWS / GCP / Azure

Install SalsaGate Read Technical Docs

Built for the Future of Secure Delivery

SalsaGate is designed as a verification fabric for modern engineering teams: fast, horizontally scalable, and friendly to both platform engineers and auditors.

⚡ Lightning Fast

Median latency < 150ms

Instant feedback in CI with cached metadata and stateless verification services.

📈 Massive Scale

Thousands of artifacts

Handle monorepos and microservices without rewriting how you build or deploy.

🧠 Policy-as-Code

YAML, versioned with Git

Define who can sign, what must pass, and which attestations are mandatory.

🧱 Pluggable Signers

Cosign, Sigstore, KMS, GPG

Bring your own keys and trust roots. No lock-in to a single signing stack.

📜 Evidence Store

Audit-ready artifacts

SBOMs, test results, and verification logs stored as immutable evidence.

♾️ Future-Proof

Admission & IDE in roadmap

Admission controllers, IDE hints, and evidence explorer for long-term safety.

Workload Identity with OIDC

Get rid of long-lived CI secrets. SalsaGate exchanges short-lived OpenID Connect tokens from GitHub, GitLab, and cloud providers for scoped sessions.

permissions:
  id-token: write
  contents: read

- name: SalsaGate OIDC
  run: salsagate auth oidc \
    --provider github \
    --aud salsagate.io

AWS Federation Example

Use SalsaGate’s identity as the bridge into cloud roles.

aws sts assume-role-with-web-identity \
  --role-arn arn:aws:iam::123456789012:role/SalsaGateRole \
  --web-identity-token $SALSAGATE_ID_TOKEN \
  --role-session-name salsa-ci

Use Cases for DevSecOps & Platform Teams

CI Gatekeeping

Require signatures, SBOMs, and test attestations before a release is allowed to ship.

- name: SalsaGate Verify
  run: salsagate verify \
    --artifact dist/app.tar.gz \
    --policy strict

Runtime Admission

Block non-compliant workloads in production clusters using admission policies.

kubectl label ns production salsagate/policy=strict
# unsigned images rejected by webhook

Compliance Evidence

Export machine-verifiable bundles for SOC 2, ISO 27001 and internal change boards.

salsagate export evidence \
  --days 30 \
  --out evidence.json

Infrastructure Plans

Ensure Terraform plans are generated in CI and signed by recognized identities.

terraform plan -out tfplan.bin
cosign sign-blob --key $COSIGN_KEY tfplan.bin
salsagate verify \
  --artifact tfplan.bin \
  --policy infra

Join the SalsaGate Community

Collaborate with other platform teams, share policies, and build a safer supply chain together.

Engineers

5K+

Repos Secured

2K+

Support

24 / 7

Policies