Verify container images

Container image verification prevents malicious or modified images from entering your environment. Before you deploy a Self-Deployed Runtime container, verify its signature so you can be confident the image was built by Atlan's official CI/CD pipeline, hasn't been modified since signing, and is traceable to a specific GitHub workflow. This guide provides step-by-step instructions to verify images using Cosign.

Prerequisites

• Cosign (v2 or later) is installed on your system. If not, follow the official Cosign installation guide.
• You can access the container image you want to verify.
• You know the image name and tag (for example: atlanhq/atlan-oracle-app:1.0.0).

Atlan signs Self-Deployed Runtime images with keyless Cosign. All images are signed by the same shared build workflow, so the --certificate-identity value below is the same for every image. Only the image path you verify changes.

Verify container image

1. Run the verification command: Run the following command, replacing <full-image-path> with the image you want to verify (for example, atlanhq/atlan-oracle-app:1.0.0):

   cosign verify \
       --certificate-identity="https://github.com/atlanhq/application-sdk/.github/workflows/build-and-publish-app.yaml@refs/heads/main" \
       --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
       <full-image-path>

   Example: verify Oracle connector image

   cosign verify \
       --certificate-identity="https://github.com/atlanhq/application-sdk/.github/workflows/build-and-publish-app.yaml@refs/heads/main" \
       --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
       atlanhq/atlan-oracle-app:1.0.0

2. Interpret the results: Verify the results produced by the command:

   • If the verification is successful, Cosign returns a verified signature along with signer details.

     Example: verification successful

       Verification successful!
       - Image Digest (SHA256): abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890
       - Signed by: atlanhq/application-sdk/.github/workflows/build-and-publish-app.yaml@refs/heads/main
       - OIDC Issuer: https://token.actions.githubusercontent.com

   • If the verification fails, it means the image is either unsigned or has been modified. Don't proceed with deployment until you obtain a valid signed image.

     Example: verification failed

       Verification failed!
       - Error: Signature verification failed
       - Reason: The signature doesn't match the expected digest.
       - Suggested Action: Check the image signature and ensure it was signed correctly.

Troubleshooting

If verification fails:

1. Make sure you are using the correct image path and tag.
2. Use the certificate identity exactly as shown (…/atlanhq/application-sdk/.github/workflows/build-and-publish-app.yaml@refs/heads/main). It's the same for every Self-Deployed Runtime image, regardless of connector.
3. Confirm network connectivity to Sigstore (Cosign uses transparency and registry services).

Need help

If you are still facing issues and need help, contact [email protected] for assistance.

See also

• Security: Security architecture, authentication, encryption, and compliance controls for Self-Deployed Runtime.
• Configure network security: Set firewall rules, proxies, and Kubernetes policies to control App traffic.