This article takes a detailed look at BuildKit‘s attestation feature, one of several options for creating and verifying attestations for Docker images. Introduction BuildKit, the image builder used under the hood by “docker build”, can create attestations for the Docker image that it builds, uploading these attestations to the image registry (as JSON manifests) as … Read more
This article takes a detailed look at GitHub’s attestation feature, one of several options for creating and verifying attestations for Docker images and files.
This article takes a detailed look at Cosign, one of several tools for creating and verifying Docker images and adding attestations such as build provenance.
This article takes a detailed look at image signatures created by Notation, which is one of several tools to create and verify Docker images.
This article provides an overview of available options to a) sign and verify Docker/container images and b) create image attestations. It compares the tools Docker Content Trust, BuildKit attestations, Notation, Cosign, and GitHub attestations. The basic terms and concepts are explained, and it concludes with recommendations for which tool is most suitable per use case.