Skip to content

MIF Plugin Marketplace

Every plugin SHA-pinned, attested, and admitted only when it verifies — fail-closed.

A plugin is listed only after its pinned release resolves to a real plugin and its SLSA attestation verifies fail-closed — no attestation, no listing.

graph LR
  rel["Tagged release<br/>(SHA-pinned)"] --> att["SLSA build<br/>provenance"]
  att --> adm{"catalog-admission<br/>verify"}
  adm -->|resolves + verifies| ok["Admitted to catalog"]
  adm -->|fails| no["Rejected (fail-closed)"]

Each catalog entry pins a plugin to a ref + full-length commit sha; the catalog-admission workflow re-resolves the pin and verifies the release attestation before the plugin appears. Read how to add a plugin to submit one, or verify a release to check an artifact yourself.