Skip to Main Content
Workshop Intermediate

Signing Container Image Trust with Cosign: A CNCF-Backed Open Source Project

Approved
Session Description

When we talk about security in modern DevOps, most of us immediately think about scanning, vulnerability checks, and maybe secret detection. But there's something critical that often gets missed: how do we actually prove that the Docker images you are deploying are really the ones we built?

We trust our CI/CD pipeline, but once an image is pushed to a registry, the chances of tampering are pretty high in today’s fast-moving world.

That’s where Cosign, an OSS tool from the Sigstore family, changes the game. It makes signing Docker images simple, automatable, and secure without complex key management.

Example Scenarios:

  • A developer builds an image, pushes it to a registry. How do we make sure that only signed images can be deployed to production?

  • We are working with multiple cloud providers. How can we ensure the same image is verified and trusted in AWS, Azure, and GCP clusters?

  • We want our CI/CD pipeline to automatically sign images without manual key management manual works.

These are real, multi-environment, multi-team scenarios that go beyond textbook examples.

In this session, we are going to discuss:

  • How to sign Docker images using Cosign with a practical demo.

  • How to integrate Cosign into our GitHub Actions pipeline so images are automatically signed as part of the builds.

  • How to verify those signed images locally, in CI, and in K8s clusters.

  • How Cosign fits with the bigger Sigstore ecosystem (Fulcio, Rekor) and why this matters for supply chain security.

This isn’t just a “hello world” demo. This is about making container signing a natural, easy part of our software delivery process, just like pushing code or running tests.

Key Takeaways

  • Understand why Docker image signing matters in real-world, OSS-driven supply chains.

  • Learn how to sign Docker images using Cosign with a practical demo

  • Discover how to automate image signing and verification using GitHub Actions (or any CI/CD tool).

  • Get familiar with the Sigstore ecosystem (Cosign, Fulcio, Rekor) and how they build transparent, OSS-backed trust.

  • Learn how to make image signing a developer-friendly, open, and repeatable process.

References

https://github.com/sigstore/sigstore
https://www.sigstore.dev/
https://blog.sigstore.dev/
https://docs.sigstore.dev/quickstart/quickstart-cosign/
https://github.com/sigstore/cosign

Session Categories

Tutorial about using a FOSS project
Introducing a FOSS project or a new version of a popular project
Technology architecture

Speakers

Santhosh NC
Lead Infrastructure Consultant | Thoughtworks

Seasoned, critical-thinking DevSecOps engineer with over 9 years of robust experience in designing, developing, building, testing, implementing, securing, operating, and monitoring applications and infrastructure across various domains.

Proficient in DevOps and Multi-Cloud technologies, demonstrating expertise in automated build and deployment tasks by creating comprehensive CI/CD/CT pipelines alongside infrastructure automation.

A talented performer driven by the pursuit of knowledge and adept at navigating and instructing others in emerging technologies.

Possesses a proven ability to collaborate effectively with excellent communication skills, autonomously and within diverse internal teams, to drive project success and innovation.

 https://www.linkedin.com/in/santhoshnc
Santhosh NC

Reviews

Reviewer #1 Approved
Reviewer #2 Approved