docs: add pipeline attestation verification gates

[catcherintheroad-hub]

Created from review issue: #1372

Summary

• Add deployment-time attestation verification checks to CICD-SEC-9.
• Require digest binding, issuer/certificate identity constraints, source and builder provenance checks, and production enforcement evidence.
• Add an attestation verification output table and edge-case fixtures for mutable tags, unconstrained verification, admission enforcement, and multi-arch images.

Validation

• git diff --check
• Markdown fence/non-ASCII sanity check
• Reference URL checks for SLSA, Sigstore cosign verification, and GitHub artifact attestations

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cf427f66fe

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Downgrade the incomplete policy fixture from pass

For policy-controller configurations like this fixture, the attestations block only requires a matching SLSA predicate type; without an attestation policy it does not check the SLSA predicate's source repository, workflow ref/commit, or builder identity that the skill now requires. Marking this as a Pass can train reviewers to credit production admission policies that still allow provenance from the wrong source or builder, so this case should remain Partial unless those predicate checks are added.

Useful? React with 👍 / 👎.