Skip to main content

Verify container images

Container image verification prevents malicious or modified images from entering your environment. Before you deploy a Self-Deployed Runtime container, verify its signature so you can be confident the image was built by Atlan's official CI/CD pipeline, hasn't been modified since signing, and is traceable to a specific GitHub workflow. This guide provides step-by-step instructions to verify images using Cosign.

Prerequisites

  • Cosign is installed on your system. If not, follow the official Cosign installation guide.
  • You can access the container image you want to verify.
  • You know the image name and tag (for example: public.ecr.aws/atlanhq/redshift-app:2.0).

Verify container image

  1. Run the verification command: Run the following command, replacing <image-name> and <full-image-path> with your values. For example, public.ecr.aws/atlanhq/redshift-app:2.0:

    COSIGN_EXPERIMENTAL=1 cosign verify \
        --allow-insecure-registry \
        --certificate-identity="https://github.com/atlanhq/<image-name>/.github/workflows/test-image-sign.yaml@refs/heads/image-signing-test" \
        --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
        <full-image-path>
    Example: verify Redshift connector image
    COSIGN_EXPERIMENTAL=1 cosign verify \
        --allow-insecure-registry \
        --certificate-identity="https://github.com/atlanhq/connector-auth/.github/workflows/test-image-sign.yaml@refs/heads/image-signing-test" \
        --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
        public.ecr.aws/atlanhq/redshift-app:2.0

  2. Interpret the results: Verify the results produced by the command:

    • If the verification is successful, Cosign returns a verified signature along with signer details.

      Example: verification successful
        Verification successful!
        - Image Digest (SHA256): abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890
        - Signed by: atlanhq/<image-name>/.github/workflows/image-sign.yaml
        - OIDC Issuer: https://token.actions.githubusercontent.com

    • If the verification fails, it means the image is either unsigned or has been modified. Don't proceed with deployment until you obtain a valid signed image.

      Example: verification failed
        Verification failed!
        - Error: Signature verification failed
        - Reason: The signature doesn't match the expected digest.
        - Suggested Action: Check the image signature and ensure it was signed correctly.

Troubleshooting

If verification fails:

  1. Make sure you are using the correct image path and tag.
  2. Verify the certificate identity (the --certificate-identity value) matches the repository/workflow that signed the image.
  3. Confirm network connectivity to Sigstore (Cosign uses transparency and registry services).

Need help

If you are still facing issues and need help, contact [email protected] for assistance.

See also

  • Security: Security architecture, authentication, encryption, and compliance controls for Self-Deployed Runtime.
  • Configure network security: Set firewall rules, proxies, and Kubernetes policies to control App traffic.