Kong Event Gateway container images are published to kong/kong-event-gateway on Docker Hub.
Each image is signed with Cosign using GitHub’s OIDC identity, and a set of attestations (SBOM, vulnerability scans, and more) is attached to it.
Image signatures and attestations are only available from Event Gateway 1.1.1 onwards. Earlier releases have no supply chain artifacts attached, so the commands on this page won’t return anything for them.
The examples below use
kong/kong-event-gateway:1.2.0. Replace the version with the Event Gateway release you want to verify. The signing identity (...@refs/tags/v1.2.0) must match the exact release tag of the image you’re verifying, so keep the version consistent between the image and the--certificate-identityflag.