brew install cosign
mshaik@rafis-MacBook-Pro ~ % docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
d7ecded7702a: Pull complete
266626526d42: Pull complete
320b0949be89: Pull complete
d921c57c6a81: Pull complete
9def903993e4: Pull complete
52bc359bcbd7: Pull complete
e2f8e296d9df: Pull complete
Digest: sha256:1beed3ca46acebe9d3fb62e9067f03d05d5bfa97a00f30938a0a3580563272ad
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest d261fd19cb63 13 days ago 152MB
mshaik@rafis-MacBook-Pro ~ % docker inspect d261fd19cb63
[
{
"Id": "sha256:d261fd19cb63238535ab80d4e1be1d9e7f6c8b5a28a820188968dd3e6f06072d",
"RepoTags": [
"nginx:latest"
],
"RepoDigests": [
"nginx@sha256:1beed3ca46acebe9d3fb62e9067f03d05d5bfa97a00f30938a0a3580563272ad"
],
"Parent": "",
"Comment": "buildkit.dockerfile.v0",
"Created": "2025-11-04T04:06:21.766701272Z",
mshaik@rafis-MacBook-Pro ~ % cosign generate-key-pair
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to cosign.pub
mshaik@rafis-MacBook-Pro ~ % docker login -u rafi494
Password:
Login Succeeded
Logging in with your password grants your terminal complete access to your account.
docker tag nginx:latest rafi494/nginx:custom
cosign sign --key cosign.key rafi494/nginx:custom
WARNING: Image reference rafi494/nginx:custom uses a tag, not a digest, to identify the image to sign.
This can lead you to sign a different image than the intended one. Please use a
digest (example.com/ubuntu@sha256:abc123...) rather than tag
(example.com/ubuntu:latest) for the input to cosign. The ability to refer to
images by tag will be removed in a future release.
cosign verify --key cosign.pub rafi494/nginx:custom
Verification for index.docker.io/rafi494/nginx:custom --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"index.docker.io/rafi494/nginx:custom"},"image":{"docker-manifest-digest":"sha256:9cee757adcd29d3aa6c309f62ccc426ec99bac5e5d9e9ac49d4a00568e0132dd"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":null}]
docker inspect d261fd19cb63
[
{
"Id": "sha256:d261fd19cb63238535ab80d4e1be1d9e7f6c8b5a28a820188968dd3e6f06072d",
"RepoTags": [
"nginx:custom",
"nginx:latest",
"rafi494/nginx:custom"
],
"RepoDigests": [
"nginx@sha256:1beed3ca46acebe9d3fb62e9067f03d05d5bfa97a00f30938a0a3580563272ad",
"rafi494/nginx@sha256:9cee757adcd29d3aa6c309f62ccc426ec99bac5e5d9e9ac49d4a00568e0132dd"
],

Kyverno
https://kyverno.io/docs/installation/methods/
kyverno is a cloud native policy engine. It was originally built for Kubernetes and now can also be used outside of Kubernetes clusters as a unified policy language .
Some of its many features include:
- policies as YAML-based declarative Kubernetes resources with no new language to learn!
- enforce policies as a Kubernetes admission controller, CLI-based scanner, and at runtime
- validate, mutate, generate, or cleanup (remove) any Kubernetes resource
- verify container images and metadata for software supply chain security
- policies for any JSON payload including Terraform resources, cloud resources, and service authorization
- policy reporting using the open reporting format from the CNCF Policy WG
- flexible policy exception management
- tooling for comprehensive unit and e2e testing of policies
- management of policies as code resources using familiar tools like
gitandkustomize

