You are browsing documentation for an older version. See the latest documentation here.
Verify build provenance for signed Kong Mesh images
Starting with 2.8.0, Kong Mesh produces build provenance for Docker container images, which can be verified using cosign
/ slsa-verifier
with attestations published to a Docker Hub repository.
This guide provides steps to verify build provenance for signed Kong Mesh Docker container images with an example to verify an image provenance leveraging any optional annotations for increased trust.
Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for container images, which is why many of these details are GitHub-related.
Prerequisites
-
Cosign
/slsa-verifier
is installed -
regctl
is installed -
Collect the necessary image details.
-
The GitHub owner is case-sensitive (
Kong/kong-mesh
vskong/kong-mesh
).
Example with kong/kuma-cp
Kong Mesh image provenance can be verified using cosign
or slsa-verifier
: