Inferensys

Glossary

Image Attestation

A cryptographically signed, verifiable statement about a container image, such as an SBOM or a vulnerability scan result, stored alongside the image in the registry.
Data engineer managing feature store on laptop, feature definitions visible, casual data engineering session.
CRYPTOGRAPHIC VERIFICATION

What is Image Attestation?

A cryptographically signed, verifiable statement about a container image, such as an SBOM or a vulnerability scan result, stored alongside the image in the registry.

Image attestation is the process of generating a cryptographically signed, verifiable statement about a container image, such as a Software Bill of Materials (SBOM) or a vulnerability scan result, and storing it alongside the image in an OCI-compliant registry. This mechanism provides a tamper-proof metadata layer that allows downstream consumers to verify the provenance, integrity, and security posture of an artifact before deployment, directly supporting supply chain security.

Unlike a simple image signature that verifies the artifact itself, an attestation makes specific, structured claims about the image. Tools like Cosign facilitate this by generating an in-toto attestation predicate, signing it with an identity from Sigstore, and attaching it to the image digest. An Admission Controller can then enforce policies that block the deployment of images lacking a valid attestation from a trusted builder, ensuring only verified artifacts run in production.

CRYPTOGRAPHIC VERIFIABILITY

Key Characteristics of Image Attestations

Image attestations provide a cryptographically signed, tamper-proof statement about a container image, enabling automated policy enforcement and supply chain security.

01

Cryptographic Signing

Attestations are generated using digital signatures tied to an identity, often via OpenID Connect or long-lived keys. The signature is stored as an OCI Artifact alongside the image in the registry, ensuring the statement cannot be modified without detection. Tools like Cosign and Notary implement this by signing a hash of the attestation payload, creating a verifiable link between the claim and the image digest.

SHA256
Digest Algorithm
Sigstore
Common Framework
02

Attestation Predicates

The attestation's predicate defines the type of claim being made. Standardized predicate types enable automated parsing and policy evaluation:

  • SLSA Provenance: Records the build environment, source repo, and builder identity.
  • SBOM (SPDX/CycloneDX): A nested inventory of all software components.
  • Vulnerability Scan Result: A signed statement that a specific scanner completed a scan with a given result set at a point in time.
04

In-Toto Attestation Format

The in-toto specification provides the standard JSON schema for attestations. It defines a Statement object that binds a Subject (the image digest) to a Predicate (the claim). This structure ensures interoperability across different tools and registries. An attestation is not just a signature; it is a structured, machine-readable document that can be evaluated programmatically against complex Rego or CEL policies.

05

Transparency and Auditing

Keyless signing via Sigstore uploads attestation metadata to a public, append-only Rekor transparency log. This provides a verifiable timeline of all signing events, enabling auditors to detect unauthorized signing activity. Even in private registries, the transparency log offers a non-repudiable record that a specific identity signed a specific claim at a specific time, critical for SLSA compliance and forensic analysis.

IMAGE ATTESTATION

Frequently Asked Questions

Clear answers to the most common questions about cryptographically verifying container image provenance, integrity, and compliance within private registries.

Image attestation is a cryptographically signed, verifiable statement about a container image, such as an SBOM or a vulnerability scan result, stored alongside the image in the registry. The process works by generating a detached signature over a JSON payload containing the claim using a signing tool like Cosign. This signature is then pushed to the OCI registry as a separate artifact, linked to the original image via its digest. At verification time, a policy engine or admission controller retrieves the signature, validates it against a trusted public key or certificate, and confirms the attestation's integrity and authenticity before allowing deployment. This mechanism ensures that the metadata about an image is as trustworthy as the image itself, forming a critical component of a SLSA-compliant supply chain.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.