Kong produces build provenance for Inso CLI docker container images, which can be verified using cosign or slsa-verifier with attestations published to a Docker Hub repository.
This guide provides steps to verify build provenance for signed Inso CLI Docker images in two different ways:
- A minimal example, used to verify an image without leveraging any annotations
- A complete example, leveraging optional annotations for increased trust
For the minimal example, you only need a Docker manifest digest and a GitHub repo name.
The Docker manifest digest is required for build provenance verification. The manifest digest can be different from the platform-specific image digest for a specific distribution.
For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you want to verify:
|
Shorthand |
Description |
Example Value |
|---|---|---|
REPO
|
GitHub repository |
insomnia
|
WORKFLOW_NAME
|
GitHub workflow name |
Release Publish
|
WORKFLOW_TRIGGER
|
GitHub workflow trigger name |
workflow_dispatch
|
TAG
|
Docker image tag |
11.3.0
|
VERSION
|
Inso CLI version |
11.3.0
|
Because Kong uses GitHub Actions to build and release, Kong also uses GitHub’s OIDC identity to generate build provenance for images, which is why many of these details are GitHub-related.