Workshop
Intermediate

Signing Container Image Trust with Cosign: A CNCF-Backed Open Source Project

Approved

When we talk about security in modern DevOps, most of us immediately think about scanning, vulnerability checks, and maybe secret detection. But there's something critical that often gets missed: how do we actually prove that the Docker images you are deploying are really the ones we built?

We trust our CI/CD pipeline, but once an image is pushed to a registry, the chances of tampering are pretty high in today’s fast-moving world.

That’s where Cosign, an OSS tool from the Sigstore family, changes the game. It makes signing Docker images simple, automatable, and secure without complex key management.

Example Scenarios:

  • A developer builds an image, pushes it to a registry. How do we make sure that only signed images can be deployed to production?

  • We are working with multiple cloud providers. How can we ensure the same image is verified and trusted in AWS, Azure, and GCP clusters?

  • We want our CI/CD pipeline to automatically sign images without manual key management manual works.

These are real, multi-environment, multi-team scenarios that go beyond textbook examples.

In this session, we are going to discuss:

  • How to sign Docker images using Cosign with a practical demo.

  • How to integrate Cosign into our GitHub Actions pipeline so images are automatically signed as part of the builds.

  • How to verify those signed images locally, in CI, and in K8s clusters.

  • How Cosign fits with the bigger Sigstore ecosystem (Fulcio, Rekor) and why this matters for supply chain security.

This isn’t just a “hello world” demo. This is about making container signing a natural, easy part of our software delivery process, just like pushing code or running tests.

  • Understand why Docker image signing matters in real-world, OSS-driven supply chains.

  • Learn how to sign Docker images using Cosign with a practical demo

  • Discover how to automate image signing and verification using GitHub Actions (or any CI/CD tool).

  • Get familiar with the Sigstore ecosystem (Cosign, Fulcio, Rekor) and how they build transparent, OSS-backed trust.

  • Learn how to make image signing a developer-friendly, open, and repeatable process.

https://github.com/sigstore/sigstore
https://www.sigstore.dev/
https://blog.sigstore.dev/
https://docs.sigstore.dev/quickstart/quickstart-cosign/
https://github.com/sigstore/cosign
Tutorial about using a FOSS project
Introducing a FOSS project or a new version of a popular project
Technology architecture
Santhosh NC
Lead Infrastructure Consultant Thoughtworks
https://www.linkedin.com/in/santhoshnc
Speaker Image
100 %
Approvability
2
Approvals
0
Rejections
0
Not Sure
Reviewer #1
Approved
Reviewer #2
Approved