An image digest is a fixed, cryptographic hash generated from the raw content of a container image manifest. Unlike mutable tags, the digest is a content-addressable identifier, meaning any change to the image's layers or configuration produces a completely different hash. This property guarantees that pulling an image by its digest always retrieves the exact same, bit-for-bit identical artifact.
Glossary
Image Digest

What is an Image Digest?
An image digest is a unique, content-addressable SHA256 hash that immutably identifies a specific container image manifest, enabling cryptographic verification of integrity and deterministic deployments.
Digests are fundamental to software supply chain security, serving as the anchor for digital signatures generated by tools like Cosign and for enforcing Binary Authorization policies in Kubernetes. By referencing image@sha256:abc... instead of image:latest, operators eliminate the risk of tag mutation attacks and ensure runtime immutability across air-gapped and sovereign infrastructure environments.
Key Properties of Image Digests
An image digest is a content-addressable SHA256 hash that serves as the immutable fingerprint of a container image. Unlike mutable tags, the digest guarantees that the exact bits you verified are the bits you deploy.
Content-Addressable Integrity
The digest is computed from the manifest or layer content itself, not assigned arbitrarily. Any modification to a single file, environment variable, or metadata field produces a completely different hash. This property enables cryptographic verification that the image pulled at runtime is byte-for-byte identical to the one scanned and approved in the CI/CD pipeline. Content-addressable storage also enables automatic deduplication across registries, since identical layers share the same digest regardless of the image name or tag.
Immutable and Tamper-Evident
Once an image manifest is hashed, the resulting digest is permanently bound to that specific content. Registries enforce immutability by rejecting any attempt to overwrite an existing digest with different content. This makes digests the foundation of supply chain security—a digest pinned in a Kubernetes deployment manifest or policy engine cannot be silently replaced by a malicious actor. Any tampering is immediately detectable because the recomputed hash will not match the pinned value.
Digest vs. Tag: Deterministic Deployments
Tags like latest or v1.2.3 are mutable pointers that can be moved to different images over time. A digest like sha256:abc123... is a deterministic, immutable reference. Production deployments should always pin by digest to guarantee repeatability:
- Tag: Mutable, human-friendly, can be retagged
- Digest: Immutable, machine-verifiable, unique per content
- Best practice: Use tags for human identification, digests for deployment manifests and policy enforcement
Manifest Digest vs. Layer Digest
Two distinct digest types exist in the OCI specification:
- Manifest Digest: The SHA256 hash of the entire image manifest JSON, which references all layers and configuration. This is the digest typically used to pull an image.
- Layer Digest: The SHA256 hash of an individual compressed filesystem layer blob. Each layer is independently content-addressable. Changing a single layer changes the manifest digest, creating a cryptographic chain of custody from the final image back to every constituent component.
Digest in Security Policies
Image digests are the anchor for deploy-time security controls. Admission controllers and binary authorization systems evaluate policies against the digest, not the tag, to prevent tag-spoofing attacks. A typical enforcement flow:
- Build system pushes image, records the digest
- Vulnerability scanner attests to the digest via Cosign or Notary
- Admission controller verifies the signature and attestation against the exact digest before allowing pod creation This ensures the image that was scanned is the image that runs.
Digest Resolution and Pinning
When pulling by tag, the registry returns the current manifest digest in the response header (Docker-Content-Digest). Tools can capture this to convert a mutable tag reference into an immutable digest pin. Common patterns:
docker pull alpine@sha256:...— pull by digest directlyskopeo inspect docker://image:tag— resolve tag to digest without pulling- Kubernetes
imagePullPolicy: IfNotPresentcombined with digest references ensures nodes never accidentally pull a mutated image
Frequently Asked Questions
Clear, technical answers to the most common questions about content-addressable image identifiers and their role in securing software supply chains.
An image digest is a unique, content-addressable SHA256 hash that immutably identifies a specific container image manifest or layer. It is computed by applying the SHA-256 cryptographic hash function to the raw content of the manifest, producing a fixed-length string like sha256:abc123.... Unlike a mutable tag such as latest, a digest is a permanent fingerprint of the exact bytes. When you pull an image by digest, the registry locates the content using this hash rather than a name lookup, guaranteeing you receive the precise artifact you requested. This mechanism is foundational to content-addressable storage, where the location and identity of data are cryptographically bound, enabling deduplication and tamper detection at the storage layer.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and tools that work alongside image digests to establish cryptographic trust and supply chain security for containerized AI workloads.
Content Trust
A security mechanism that uses digital signatures to ensure only authorized, untampered container images are pulled and executed. Content trust relies on image digests as the immutable reference point—signatures are generated over the digest, not the mutable tag. When enabled, the container runtime verifies the signature against the digest before extraction, blocking any image whose manifest has been altered or replaced.
SLSA Provenance
The Supply-chain Levels for Software Artifacts framework provides a tamper-proof, attestable record of the build process. SLSA provenance documents reference the image digest as the subject, binding build metadata—builder identity, source repository, build commands—to the immutable artifact. This creates a verifiable chain from source code to the specific digest deployed in production, critical for air-gapped AI infrastructure audits.
Binary Authorization
A deploy-time security control in Kubernetes that enforces strict signature validation. Policies reference image digests to whitelist only specific, signed artifacts. The admission controller intercepts pod creation requests and verifies that the digest matches an approved attestation before allowing scheduling. This prevents unsigned or tampered images from ever reaching the container runtime, even if an attacker compromises the registry.
Content-Addressable Storage
A storage architecture where data blobs are located by a cryptographic hash of their content rather than a mutable name. Container registries use this model: each layer blob is stored under its SHA256 digest, enabling automatic deduplication—identical layers across different images share the same storage. This guarantees that retrieving a blob by digest always returns the exact bytes originally pushed, with no possibility of substitution.
Image Attestation
A cryptographically signed, verifiable statement about a container image stored alongside it in the registry. Common attestations include SBOMs, vulnerability scan results, and build provenance. Each attestation references the image digest as its subject, creating a cryptographic binding. During deployment, policy engines verify that the digest has the required attestations—such as a clean vulnerability scan—before allowing execution.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us