MIF Plugin Marketplace
Every plugin SHA-pinned, attested, and admitted only when it verifies — fail-closed.
How admission works
Section titled “How admission works”A plugin is listed only after its pinned release resolves to a real plugin and its SLSA attestation verifies fail-closed — no attestation, no listing.
graph LR
rel["Tagged release<br/>(SHA-pinned)"] --> att["SLSA build<br/>provenance"]
att --> adm{"catalog-admission<br/>verify"}
adm -->|resolves + verifies| ok["Admitted to catalog"]
adm -->|fails| no["Rejected (fail-closed)"]
Each catalog entry pins a plugin to a ref + full-length commit sha; the
catalog-admission workflow re-resolves the pin and verifies the release
attestation before the plugin appears. Read
how to add a plugin to submit one, or
verify a release to check an artifact yourself.