Container Image Security (Signing and Scanning with tools like Cosign, Trivy)

Container Image Security (Signing and Scanning with tools like Cosign, Trivy) | by Peace Dennis | in InfoSec Write-ups - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Container Image Security (Signing and Scanning with tools like Cosign, Trivy) I hope you are enjoying the Kubernetes security posts that I am currently sharing. They have honestly been interesting so far. In my last… Peace Dennis Follow InfoSec Write-ups · ~4 min read · April 3, 2026 (Updated: April 3, 2026) · Free: Yes I hope you are enjoying the Kubernetes security posts that I am currently sharing. They have honestly been interesting so far. In my last post, I talked about Pod Security Standards (PSS) and policy enforcement with Kyverno and OPA Gatekeeper. In this post, we will dive into something just as important: Container image security, and it is a full hands-on experience. Container images power almost everything we deploy today, but if they're not checked properly, they can easily become an entry point for attackers. Here are two interesting tools that help prevent that: Cosign for signing images and Trivy for scanning them. And trust me, I won't just talk about them, I will show you how it works. Cosign: Proving an image is really yours Cosign lets you digitally "seal" your images so you can be sure no one has tampered with them. Here are some of the practical steps I took: ➡️ Signed container images locally, which generated a verifiable certificate. ➡️ I verified the signature locally, making sure the digest and signer identity matched exactly. ➡️ I tried an unsigned image, and it failed verification, which proved the gate was working exactly as it should. ➡️ Then inside GitHub Actions, I used the runner's OIDC token to automatically sign the image immediately after the build. This "keyless signing" feature is both secure and incredibly convenient. Docker Hub containing two repositories: cosign-test-app and cosign-failure-test Successful manual key verification Tried to verify an unsigned image and it failed Moved from manual to automated OIDC keyless signing Automated security workflow execution Checked the GitHub Container Registry to confirm the results Verified the image using its Identity You can see how trust is enforced automatically in real time; it feels really rewarding. Trivy: Stopping vulnerabilities before they move forward Next was integrating Trivy into the CI workflow to scan images for vulnerabilities. Here are some of the practical steps I took: ➡️ Configured Trivy to fail the entire build if a CRITICAL or HIGH vulnerability was found, meaning a vulnerable image never even got close to a registry. ➡️ Ensured the Docker push step only ran if the scan passed. If the image wasn't safe, the pipeline simply stopped. ➡️ Generated an SBOM (sbom.json) and uploaded it as a GitHub Artifact, super useful for understanding what's inside the image, especially during audits. Vulnerability scan of a clean image Successful deployment of a clean image Scanned a "failure-test" image, which revealed 98 vulnerabilities A deep-dived into the results of the "failure-test" image scan result Continuation of the deep-dived into the results Configured to use exit code 1 when "CRITICAL or HIGH" severity issues are detected The high vulnerabilities detected Configured GitHub Action to fail if "CRITICAL or HIGH" severity issues are detected The high vulnerabilities detected Generated a Software Bill of Materials (SBOM) as artifacts for visibility and traceability. This way, you get to catch issues early, fix them early, and never let unsafe images get anywhere near production. The combination of these tools makes a workflow secure: 🔹 Trivy checks for vulnerabilities. 🔹 Cosign ensures authenticity. 🔹 Kyverno/Gatekeeper blocks anything unsigned or unsafe from entering Kubernetes. If you find this useful, let me know in the comments , give it a clap , and follow for more cloud security content. #cosign #trivy #docker #container-images #container-security Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).