Inferensys

Glossary

Immutable Tag

A registry feature that prevents a specific image tag from being overwritten, ensuring that a reference to a particular version always points to the exact same artifact digest.
Data engineer managing feature store on laptop, feature definitions visible, casual data engineering session.
ARTIFACT INTEGRITY

What is Immutable Tag?

An immutable tag is a registry-enforced policy that permanently locks a specific image tag to a content-addressable digest, preventing the tag from being overwritten by subsequent pushes.

An immutable tag is a configuration setting on a container or artifact registry that disables the default behavior of tag mutability. Once activated for a specific tag, any future push operation attempting to overwrite that tag with a new manifest is rejected by the registry. This guarantees that a deployment reference like model-server:v2.1-prod always resolves to the exact same content-addressable digest, eliminating the risk of a silent, unauthorized artifact swap in a production environment.

This mechanism is foundational for supply chain security and auditability in MLOps pipelines. By combining immutable tags with cryptographic signing tools like Cosign, organizations achieve strict non-repudiation for model releases. The tag acts as a human-readable pointer that is permanently fused to a verifiable digest, ensuring that a compliance auditor or an admission controller can trust that the artifact referenced in a deployment manifest has not been altered since its initial publication.

TAMPER-PROOF REGISTRIES

Key Features of Immutable Tags

Immutable tags are a foundational control in secure software supply chains, preventing the silent replacement of artifacts and ensuring that a given version reference always resolves to the exact same, cryptographically verifiable content.

01

Content-Addressable Locking

An immutable tag is permanently pinned to a specific content digest (e.g., SHA256 hash) rather than a mutable pointer. Once set, the registry rejects any push operation that attempts to overwrite the tag with a different manifest. This guarantees that model:v1.0 always resolves to the exact same bytes, eliminating time-of-check to time-of-use (TOCTOU) vulnerabilities in deployment pipelines.

  • Prevents tag mutation attacks where a compromised CI pipeline replaces a known-good artifact.
  • Enables deterministic deployments across geographically distributed clusters.
  • Forms the basis for non-repudiation in model provenance chains.
SHA256
Digest Algorithm
100%
Content Fidelity
03

Quarantine-First Workflow

To support immutable tags, mature registries implement a quarantine-first promotion model. Artifacts are initially pushed to ephemeral, non-immutable tags (e.g., model:staging-abc123) for scanning and validation. Only after passing all binary authorization checks—including vulnerability scans and signature verification—is the artifact promoted by attaching a permanent, immutable tag.

  • Decouples the build act from the release act.
  • Ensures no artifact reaches production without passing a centralized policy engine.
  • Prevents cryptographic downgrade attacks by enforcing signature checks before promotion.
04

Tamper-Proof Audit Trail

Because an immutable tag is permanently bound to a content digest, it creates an unalterable historical record. Combined with a transparency log like Rekor, every tag assignment is cryptographically attested and publicly auditable. An auditor can traverse the log to verify that no artifact was retroactively substituted, establishing a chain of custody from build to deployment.

  • Enables retroactive verification of all production deployments.
  • Supports SLSA Level 3 compliance by providing non-falsifiable provenance.
  • Integrates with Rekor transparency logs for public auditability.
05

Air-Gapped Registry Compatibility

Immutable tag policies are critical in air-gapped environments where external revocation checks are impossible. In a disconnected sovereign cloud, a model's integrity must be guaranteed locally. Immutable tags, combined with a local Hardware Security Module (HSM) for key management, ensure that artifacts transferred via one-way data diodes cannot be tampered with after ingestion.

  • Supports WORM (Write-Once-Read-Many) storage models for regulatory compliance.
  • Prevents insider threats in physically isolated network segments.
  • Works natively with ORAS for transferring model weights and SBOMs across air gaps.
06

Digest-Based Referencing

The ultimate expression of immutability is bypassing tags entirely and referencing artifacts directly by their content digest (model@sha256:abc...). This practice eliminates the tag abstraction layer and guarantees that every node in the deployment chain is operating on a cryptographically precise artifact. Immutable tags serve as a human-readable alias for this digest-based workflow.

  • Eliminates dependency confusion attacks in multi-stage builds.
  • Ensures byte-for-byte reproducibility across dev, staging, and production.
  • Required for high-assurance Binary Authorization enforcement in Kubernetes.
IMMUTABLE TAG

Frequently Asked Questions

Clear, technical answers to the most common questions about immutable tags, their enforcement mechanisms, and their role in tamper-proof model registries.

An immutable tag is a registry-level feature that permanently locks a specific image tag to a single, content-addressable digest, preventing any subsequent push from overwriting that reference. Once immutability is enabled on a tag such as v1.2.3 or production, the registry rejects any write operation that attempts to mutate the tag's manifest pointer. Under the hood, the registry stores a mapping between the human-readable tag and the cryptographic digest (e.g., sha256:abc123...). When immutability is active, the registry's admission controller intercepts the push request, compares the incoming manifest against the stored digest, and returns an HTTP 409 Conflict if a mismatch is detected. This mechanism ensures that a deployment referencing model-server:v1.2.3 always pulls the exact same artifact bytes, eliminating the class of supply chain attacks where a compromised build pipeline silently replaces a known-good artifact with a malicious version. Immutability is typically implemented as a project-level or repository-level configuration setting in registries such as Harbor, AWS ECR, and Google Artifact Registry.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.