Inferensys

Glossary

Image Digest

A unique, content-addressable SHA256 hash that immutably identifies a specific container image manifest or layer, enabling cryptographic verification of integrity.
Moody home-office setup in a converted highrise loft, analyst working late with multiple screens showing knowledge graph visualizations, city lights through large windows behind.
IMMUTABLE IDENTIFIER

What is an Image Digest?

An image digest is a unique, content-addressable SHA256 hash that immutably identifies a specific container image manifest, enabling cryptographic verification of integrity and deterministic deployments.

An image digest is a fixed, cryptographic hash generated from the raw content of a container image manifest. Unlike mutable tags, the digest is a content-addressable identifier, meaning any change to the image's layers or configuration produces a completely different hash. This property guarantees that pulling an image by its digest always retrieves the exact same, bit-for-bit identical artifact.

Digests are fundamental to software supply chain security, serving as the anchor for digital signatures generated by tools like Cosign and for enforcing Binary Authorization policies in Kubernetes. By referencing image@sha256:abc... instead of image:latest, operators eliminate the risk of tag mutation attacks and ensure runtime immutability across air-gapped and sovereign infrastructure environments.

CRYPTOGRAPHIC IDENTITY

Key Properties of Image Digests

An image digest is a content-addressable SHA256 hash that serves as the immutable fingerprint of a container image. Unlike mutable tags, the digest guarantees that the exact bits you verified are the bits you deploy.

01

Content-Addressable Integrity

The digest is computed from the manifest or layer content itself, not assigned arbitrarily. Any modification to a single file, environment variable, or metadata field produces a completely different hash. This property enables cryptographic verification that the image pulled at runtime is byte-for-byte identical to the one scanned and approved in the CI/CD pipeline. Content-addressable storage also enables automatic deduplication across registries, since identical layers share the same digest regardless of the image name or tag.

02

Immutable and Tamper-Evident

Once an image manifest is hashed, the resulting digest is permanently bound to that specific content. Registries enforce immutability by rejecting any attempt to overwrite an existing digest with different content. This makes digests the foundation of supply chain security—a digest pinned in a Kubernetes deployment manifest or policy engine cannot be silently replaced by a malicious actor. Any tampering is immediately detectable because the recomputed hash will not match the pinned value.

03

Digest vs. Tag: Deterministic Deployments

Tags like latest or v1.2.3 are mutable pointers that can be moved to different images over time. A digest like sha256:abc123... is a deterministic, immutable reference. Production deployments should always pin by digest to guarantee repeatability:

  • Tag: Mutable, human-friendly, can be retagged
  • Digest: Immutable, machine-verifiable, unique per content
  • Best practice: Use tags for human identification, digests for deployment manifests and policy enforcement
04

Manifest Digest vs. Layer Digest

Two distinct digest types exist in the OCI specification:

  • Manifest Digest: The SHA256 hash of the entire image manifest JSON, which references all layers and configuration. This is the digest typically used to pull an image.
  • Layer Digest: The SHA256 hash of an individual compressed filesystem layer blob. Each layer is independently content-addressable. Changing a single layer changes the manifest digest, creating a cryptographic chain of custody from the final image back to every constituent component.
05

Digest in Security Policies

Image digests are the anchor for deploy-time security controls. Admission controllers and binary authorization systems evaluate policies against the digest, not the tag, to prevent tag-spoofing attacks. A typical enforcement flow:

  • Build system pushes image, records the digest
  • Vulnerability scanner attests to the digest via Cosign or Notary
  • Admission controller verifies the signature and attestation against the exact digest before allowing pod creation This ensures the image that was scanned is the image that runs.
06

Digest Resolution and Pinning

When pulling by tag, the registry returns the current manifest digest in the response header (Docker-Content-Digest). Tools can capture this to convert a mutable tag reference into an immutable digest pin. Common patterns:

  • docker pull alpine@sha256:... — pull by digest directly
  • skopeo inspect docker://image:tag — resolve tag to digest without pulling
  • Kubernetes imagePullPolicy: IfNotPresent combined with digest references ensures nodes never accidentally pull a mutated image
IMAGE DIGEST

Frequently Asked Questions

Clear, technical answers to the most common questions about content-addressable image identifiers and their role in securing software supply chains.

An image digest is a unique, content-addressable SHA256 hash that immutably identifies a specific container image manifest or layer. It is computed by applying the SHA-256 cryptographic hash function to the raw content of the manifest, producing a fixed-length string like sha256:abc123.... Unlike a mutable tag such as latest, a digest is a permanent fingerprint of the exact bytes. When you pull an image by digest, the registry locates the content using this hash rather than a name lookup, guaranteeing you receive the precise artifact you requested. This mechanism is foundational to content-addressable storage, where the location and identity of data are cryptographically bound, enabling deduplication and tamper detection at the storage layer.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.