Container Tags, Digests, SBOMs, and Provenance: Building a Verifiable Release Chain
Why latest is not an identity, how OCI digests anchor releases, and how signatures, attestations, SBOMs, and admission policy work together.
A container tag is a human-friendly pointer. A digest is a content-derived identifier for an OCI manifest. If app:latest points somewhere new tomorrow, yesterday’s deployment manifest no longer tells an investigator what ran. Pinning app@sha256:… makes the artifact reference stable, but digest pinning alone says nothing about who built it or whether the source and build process were trusted.
Evidence layers
An SBOM inventories components. A vulnerability scan compares that inventory and package metadata with known advisories. A signature links an identity or key to an artifact. A provenance attestation describes how an artifact was built. These records answer different questions and should be attached to the digest, retained with the release, and verified before deployment.
A defensible pipeline
Build once in an isolated CI identity; generate an SBOM and provenance; scan the artifact; sign or attest it using the organization’s supported keyless or key-managed workflow; then promote the same digest. Admission policy can require trusted issuer/subject claims and approved provenance rather than merely checking that some signature exists.
Registry controls
Use repository permissions, immutable release tags, retention exceptions, encryption, audit logs, and replication. Cleanup must preserve deployed and investigatory artifacts plus their attestations. Mirroring an image does not automatically mirror every signature format or policy record, so test verification at the destination.
Remaining limits
Signed malware is still signed. An SBOM may omit statically linked or vendored components. A clean scan is time-bound because new vulnerabilities are disclosed later. Supply-chain security therefore combines reproducible policy evidence, least privilege, patch/rebuild cadence, runtime controls, and incident response.
Sources: OCI Image specification, SLSA specification, Sigstore documentation