Verify container images
Container image verification prevents malicious or modified images from entering your environment. Before you deploy a Self-Deployed Runtime container, verify its signature so you can be confident the image was built by Atlan's official CI/CD pipeline, hasn't been modified since signing, and is traceable to a specific GitHub workflow. This guide provides step-by-step instructions to verify images using Cosign.
Prerequisites
- Cosign (v2 or later) is installed on your system. If not, follow the official Cosign installation guide.
- You can access the container image you want to verify.
- You know the image name and tag (for example:
atlanhq/atlan-oracle-app:1.0.0).
Atlan signs Self-Deployed Runtime images with keyless Cosign. All images are signed by the same shared build workflow, so the --certificate-identity value below is the same for every image. Only the image path you verify changes.
Verify container image
-
Run the verification command: Run the following command, replacing
<full-image-path>with the image you want to verify (for example,atlanhq/atlan-oracle-app:1.0.0):cosign verify \--certificate-identity="https://github.com/atlanhq/application-sdk/.github/workflows/build-and-publish-app.yaml@refs/heads/main" \--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \<full-image-path>Example: verify Oracle connector image
cosign verify \--certificate-identity="https://github.com/atlanhq/application-sdk/.github/workflows/build-and-publish-app.yaml@refs/heads/main" \--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \atlanhq/atlan-oracle-app:1.0.0 -
Interpret the results: Verify the results produced by the command:
-
If the verification is successful, Cosign returns a verified signature along with signer details.
Example: verification successful
Verification successful!- Image Digest (SHA256): abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890- Signed by: atlanhq/application-sdk/.github/workflows/build-and-publish-app.yaml@refs/heads/main- OIDC Issuer: https://token.actions.githubusercontent.com -
If the verification fails, it means the image is either unsigned or has been modified. Don't proceed with deployment until you obtain a valid signed image.
Example: verification failed
Verification failed!- Error: Signature verification failed- Reason: The signature doesn't match the expected digest.- Suggested Action: Check the image signature and ensure it was signed correctly.
-
Troubleshooting
If verification fails:
- Make sure you are using the correct image path and tag.
- Use the certificate identity exactly as shown (
…/atlanhq/application-sdk/.github/workflows/build-and-publish-app.yaml@refs/heads/main). It's the same for every Self-Deployed Runtime image, regardless of connector. - Confirm network connectivity to Sigstore (Cosign uses transparency and registry services).
Need help
If you are still facing issues and need help, contact security@atlan.com for assistance.
See also
- Security: Security architecture, authentication, encryption, and compliance controls for Self-Deployed Runtime.
- Configure network security: Set firewall rules, proxies, and Kubernetes policies to control App traffic.