Image attestation is the process of generating a cryptographically signed, verifiable statement about a container image, such as a Software Bill of Materials (SBOM) or a vulnerability scan result, and storing it alongside the image in an OCI-compliant registry. This mechanism provides a tamper-proof metadata layer that allows downstream consumers to verify the provenance, integrity, and security posture of an artifact before deployment, directly supporting supply chain security.
Glossary
Image Attestation

What is Image Attestation?
A cryptographically signed, verifiable statement about a container image, such as an SBOM or a vulnerability scan result, stored alongside the image in the registry.
Unlike a simple image signature that verifies the artifact itself, an attestation makes specific, structured claims about the image. Tools like Cosign facilitate this by generating an in-toto attestation predicate, signing it with an identity from Sigstore, and attaching it to the image digest. An Admission Controller can then enforce policies that block the deployment of images lacking a valid attestation from a trusted builder, ensuring only verified artifacts run in production.
Key Characteristics of Image Attestations
Image attestations provide a cryptographically signed, tamper-proof statement about a container image, enabling automated policy enforcement and supply chain security.
Cryptographic Signing
Attestations are generated using digital signatures tied to an identity, often via OpenID Connect or long-lived keys. The signature is stored as an OCI Artifact alongside the image in the registry, ensuring the statement cannot be modified without detection. Tools like Cosign and Notary implement this by signing a hash of the attestation payload, creating a verifiable link between the claim and the image digest.
Attestation Predicates
The attestation's predicate defines the type of claim being made. Standardized predicate types enable automated parsing and policy evaluation:
- SLSA Provenance: Records the build environment, source repo, and builder identity.
- SBOM (SPDX/CycloneDX): A nested inventory of all software components.
- Vulnerability Scan Result: A signed statement that a specific scanner completed a scan with a given result set at a point in time.
In-Toto Attestation Format
The in-toto specification provides the standard JSON schema for attestations. It defines a Statement object that binds a Subject (the image digest) to a Predicate (the claim). This structure ensures interoperability across different tools and registries. An attestation is not just a signature; it is a structured, machine-readable document that can be evaluated programmatically against complex Rego or CEL policies.
Transparency and Auditing
Keyless signing via Sigstore uploads attestation metadata to a public, append-only Rekor transparency log. This provides a verifiable timeline of all signing events, enabling auditors to detect unauthorized signing activity. Even in private registries, the transparency log offers a non-repudiable record that a specific identity signed a specific claim at a specific time, critical for SLSA compliance and forensic analysis.
Frequently Asked Questions
Clear answers to the most common questions about cryptographically verifying container image provenance, integrity, and compliance within private registries.
Image attestation is a cryptographically signed, verifiable statement about a container image, such as an SBOM or a vulnerability scan result, stored alongside the image in the registry. The process works by generating a detached signature over a JSON payload containing the claim using a signing tool like Cosign. This signature is then pushed to the OCI registry as a separate artifact, linked to the original image via its digest. At verification time, a policy engine or admission controller retrieves the signature, validates it against a trusted public key or certificate, and confirms the attestation's integrity and authenticity before allowing deployment. This mechanism ensures that the metadata about an image is as trustworthy as the image itself, forming a critical component of a SLSA-compliant supply chain.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and tooling that form the foundation of container image attestation, enabling verifiable trust in software supply chains.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us