From 6e1f777926cc92be3bb5aa0d8389eaaff43bb072 Mon Sep 17 00:00:00 2001 From: Charly Molter Date: Fri, 19 Jun 2026 18:05:45 +0200 Subject: [PATCH 1/5] feat(event-gateway): add image signature and attestation verification guide Add a how-to for verifying the kong/kong-event-gateway container image with Cosign: list supply chain artifacts, verify the image signature, verify and inspect attestations, and extract the SBOM. The example version is derived from product data and the signing identity is pinned to the matching release tag. Cross-link the new guide with the Event Gateway lifecycle pages (upgrade, breaking changes, known limitations, version support policy, changelog) so all of these pages reference each other. --- ...erify-image-signatures-and-attestations.md | 158 ++++++++++++++++++ app/event-gateway/breaking-changes.md | 4 + app/event-gateway/changelog.md | 12 ++ app/event-gateway/known-limitations.md | 10 ++ app/event-gateway/upgrade.md | 4 + app/event-gateway/version-support-policy.md | 10 ++ 6 files changed, 198 insertions(+) create mode 100644 app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md diff --git a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md new file mode 100644 index 00000000000..9d9904254cb --- /dev/null +++ b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md @@ -0,0 +1,158 @@ +--- +title: Verify {{site.event_gateway}} image signatures and attestations +content_type: how_to + +permalink: /event-gateway/verify-image-signatures-and-attestations/ + +description: "Use Cosign to verify the signature of the {{site.event_gateway}} container image and to inspect the attestations attached to it, including the SBOM and vulnerability scans." + +products: + - event-gateway + +works_on: + - konnect + +breadcrumbs: + - /event-gateway/ + +tags: + - event-gateway + - docker + - security + +related_resources: + - text: "Upgrading {{site.event_gateway_short}}" + url: /event-gateway/upgrade/ + - text: "{{site.event_gateway_short}} breaking changes and known issues" + url: /event-gateway/breaking-changes/ + - text: "{{site.event_gateway_short}} known limitations" + url: /event-gateway/known-limitations/ + - text: "{{site.event_gateway_short}} version support policy" + url: /event-gateway/version-support-policy/ + - text: "{{site.event_gateway_short}} changelog" + url: /event-gateway/changelog/ + +prereqs: + skip_product: true + inline: + - title: Cosign + position: before + icon_url: /assets/icons/cosign.svg + content: | + {{site.event_gateway}} container images and their attestations are signed using [Cosign](https://github.com/sigstore/cosign). + + Install [Cosign](https://docs.sigstore.dev/cosign/system_config/installation/) **2.4.0 or later** by following the installation instructions for your system. {{site.event_gateway_short}} signatures use the newer Sigstore bundle format (`--new-bundle-format`), which earlier Cosign versions can't verify. Check your version with `cosign version`. + + Unlike some other Kong products, {{site.event_gateway_short}} attestations and signatures are attached directly to the image, so you don't need to set `COSIGN_REPOSITORY`. + - title: regctl + position: before + include_content: prereqs/regctl + icon_url: /assets/icons/code.svg + - title: jq + position: before + content: | + You'll use [`jq`](https://jqlang.org/download/) to parse the JSON attestations that Cosign downloads. + +tldr: + q: How do I verify the {{site.event_gateway}} container image and read its SBOM? + a: | + {{site.event_gateway}} images are published to `kong/kong-event-gateway` on Docker Hub and signed with [Cosign](https://github.com/sigstore/cosign) using GitHub's OIDC identity. + + List every supply chain artifact attached to an image with `cosign tree kong/kong-event-gateway:`, verify the image signature with `cosign verify`, and verify or extract individual attestations (SBOM, vulnerability scans) with `cosign verify-attestation`. + +automated_tests: false +--- + +{% assign egw_release = site.data.products["event-gateway"].releases | where: "latest", true | first %} + +{{site.event_gateway}} container images are published to [`kong/kong-event-gateway`](https://hub.docker.com/r/kong/kong-event-gateway) on Docker Hub. +Each image is signed with [Cosign](https://github.com/sigstore/cosign) using GitHub's OIDC identity, and a set of attestations (SBOM, vulnerability scans, and more) is attached to it. + +{:.warning} +> Image signatures and attestations are only available from {{site.event_gateway_short}} **1.1.1** onwards. Earlier releases have no supply chain artifacts attached, so the commands on this page won't return anything for them. + +{:.info} +> The examples below use `kong/kong-event-gateway:{{ egw_release.version }}`. Replace the version with the {{site.event_gateway_short}} release you want to verify. +> The signing identity (`...@refs/tags/v{{ egw_release.version }}`) must match the exact release tag of the image you're verifying, so keep the version consistent between the image and the `--certificate-identity` flag. + +## List the artifacts attached to an image + +Use `cosign tree` to see every signature and attestation attached to an image: + +```sh +cosign tree kong/kong-event-gateway:{{ egw_release.version }} +``` + +The output lists the supply chain artifacts (signatures and attestations) that are stored alongside the image in the registry. + +## Verify the image signature + +1. Read the manifest digest for the image with `regctl`: + + ```sh + regctl manifest digest kong/kong-event-gateway:{{ egw_release.version }} + ``` + + The command outputs a `SHA-256` digest (`sha256:...`). Pinning to a digest guarantees you verify exactly the image you're going to run. + +1. Verify the signature with `cosign verify`: + + ```sh + cosign verify \ + --new-bundle-format=true \ + -a repo="kong-gateway/event-gateway" \ + -a workflow="CI" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + --certificate-identity="https://github.com/kong-gateway/event-gateway/.github/workflows/ci.yaml@refs/tags/v{{ egw_release.version }}" \ + kong/kong-event-gateway:{{ egw_release.version }} + ``` + + If verification is successful, the response contains a summary of the checks that were performed: + + ``` + Verification for index.docker.io/kong/kong-event-gateway:{{ egw_release.version }} -- + The following checks were performed on each of these signatures: + - The specified annotations were verified. + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The code-signing certificate was verified using trusted certificate authority certificates + ``` + {:.no-copy-code} + +## Verify and inspect attestations + +{{site.event_gateway}} images carry several signed attestations. The most commonly used predicate types are: + +| Attestation | Predicate type | `--type` value | +|-------------|----------------|----------------| +| SPDX SBOM | `https://spdx.dev/Document` | `spdxjson` | +| CycloneDX SBOM | `https://cyclonedx.org/bom` | `cyclonedx` | +| Vulnerability scan (SARIF) | `https://cosign.sigstore.dev/sarif/vuln/...` | `vuln` | +| CIS Docker benchmark | `https://cisecurity.org/docker/...` | _(use the full URL)_ | + +{:.info} +> The exact set of attestations can change between releases. Use [`cosign tree`](#list-the-artifacts-attached-to-an-image) to see the authoritative list for the image you're verifying. + +To verify an attestation's signature and print its contents, use `cosign verify-attestation` with the matching `--type`. For example, to verify the SPDX SBOM: + +```sh +cosign verify-attestation \ + --type="spdxjson" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + --certificate-identity="https://github.com/kong-gateway/event-gateway/.github/workflows/ci.yaml@refs/tags/v{{ egw_release.version }}" \ + kong/kong-event-gateway:{{ egw_release.version }} +``` + +For predicate types that don't have a built-in alias, pass the full predicate type URL to `--type` instead, for example `--type="https://cisecurity.org/docker/amd64"`. + +## Extract the SBOM + +To save the SPDX SBOM to a file, download the attestations and filter for the SBOM predicate type with `jq`: + +```sh +cosign download attestation kong/kong-event-gateway:{{ egw_release.version }} \ + | jq -r 'select((.dsseEnvelope.payload // .payload | @base64d | fromjson | .predicateType) == "https://spdx.dev/Document") | (.dsseEnvelope.payload // .payload) | @base64d | fromjson | .predicate' \ + > sbom.spdx.json +``` + +This writes the SBOM document to `sbom.spdx.json`, which you can then feed into your SBOM tooling. To extract the CycloneDX SBOM instead, replace the predicate type with `https://cyclonedx.org/bom`. diff --git a/app/event-gateway/breaking-changes.md b/app/event-gateway/breaking-changes.md index 7adf4675c15..0213f1c50c6 100644 --- a/app/event-gateway/breaking-changes.md +++ b/app/event-gateway/breaking-changes.md @@ -19,10 +19,14 @@ description: "Review {{site.event_gateway_short}} version breaking changes befor related_resources: - text: Upgrading {{site.event_gateway_short}} url: /event-gateway/upgrade/ + - text: "{{site.event_gateway_short}} known limitations" + url: /event-gateway/known-limitations/ - text: "{{site.event_gateway_short}} version support" url: /event-gateway/version-support-policy/ - text: "{{site.event_gateway_short}} changelog" url: /event-gateway/changelog/ + - text: "Verify {{site.event_gateway_short}} image signatures and attestations" + url: /event-gateway/verify-image-signatures-and-attestations/ --- Before upgrading, review any configuration or breaking changes in the version you're upgrading to and prior versions that diff --git a/app/event-gateway/changelog.md b/app/event-gateway/changelog.md index 641ca4ebaab..1736a3f1c8c 100644 --- a/app/event-gateway/changelog.md +++ b/app/event-gateway/changelog.md @@ -10,6 +10,18 @@ breadcrumbs: tags: - changelog + +related_resources: + - text: "Upgrading {{site.event_gateway_short}}" + url: /event-gateway/upgrade/ + - text: "{{site.event_gateway_short}} breaking changes and known issues" + url: /event-gateway/breaking-changes/ + - text: "{{site.event_gateway_short}} known limitations" + url: /event-gateway/known-limitations/ + - text: "{{site.event_gateway_short}} version support" + url: /event-gateway/version-support-policy/ + - text: "Verify {{site.event_gateway_short}} image signatures and attestations" + url: /event-gateway/verify-image-signatures-and-attestations/ --- Changelog for supported {{site.event_gateway}} versions. diff --git a/app/event-gateway/known-limitations.md b/app/event-gateway/known-limitations.md index a9c35935903..dd29d4f6419 100644 --- a/app/event-gateway/known-limitations.md +++ b/app/event-gateway/known-limitations.md @@ -8,6 +8,16 @@ description: This page lists the current {{site.event_gateway}} limitations. related_resources: - text: "{{site.event_gateway}}" url: /event-gateway/ + - text: "Upgrading {{site.event_gateway_short}}" + url: /event-gateway/upgrade/ + - text: "{{site.event_gateway_short}} breaking changes and known issues" + url: /event-gateway/breaking-changes/ + - text: "{{site.event_gateway_short}} version support" + url: /event-gateway/version-support-policy/ + - text: "{{site.event_gateway_short}} changelog" + url: /event-gateway/changelog/ + - text: "Verify {{site.event_gateway_short}} image signatures and attestations" + url: /event-gateway/verify-image-signatures-and-attestations/ products: - event-gateway diff --git a/app/event-gateway/upgrade.md b/app/event-gateway/upgrade.md index d517a48c370..9adb6ce113b 100644 --- a/app/event-gateway/upgrade.md +++ b/app/event-gateway/upgrade.md @@ -12,10 +12,14 @@ products: related_resources: - text: "{{site.event_gateway_short}} breaking changes and known issues" url: /event-gateway/breaking-changes/ + - text: "{{site.event_gateway_short}} known limitations" + url: /event-gateway/known-limitations/ - text: "{{site.event_gateway_short}} version support" url: /event-gateway/version-support-policy/ - text: "{{site.event_gateway_short}} changelog" url: /event-gateway/changelog/ + - text: "Verify {{site.event_gateway_short}} image signatures and attestations" + url: /event-gateway/verify-image-signatures-and-attestations/ breadcrumbs: - /event-gateway/ diff --git a/app/event-gateway/version-support-policy.md b/app/event-gateway/version-support-policy.md index 7dfeebb8f00..bfb057cea3e 100644 --- a/app/event-gateway/version-support-policy.md +++ b/app/event-gateway/version-support-policy.md @@ -15,12 +15,22 @@ description: | related_resources: - text: "{{site.event_gateway}}" url: /event-gateway/ + - text: "Upgrading {{site.event_gateway_short}}" + url: /event-gateway/upgrade/ + - text: "{{site.event_gateway_short}} breaking changes and known issues" + url: /event-gateway/breaking-changes/ + - text: "{{site.event_gateway_short}} known limitations" + url: /event-gateway/known-limitations/ + - text: "{{site.event_gateway_short}} changelog" + url: /event-gateway/changelog/ - text: "{{site.base_gateway}} version support policy" url: /gateway/version-support-policy/ - text: "{{site.konnect_short_name}} compatibility and support policy" url: /konnect-platform/compatibility/ - text: "Kong vulnerability patching process" url: /gateway/vulnerabilities/ + - text: "Verify {{site.event_gateway_short}} image signatures and attestations" + url: /event-gateway/verify-image-signatures-and-attestations/ works_on: - konnect From cf8c55f9ce1fbf0e7b28b796dc3ad27e984f2518 Mon Sep 17 00:00:00 2001 From: Charly Molter Date: Tue, 23 Jun 2026 09:19:56 +0200 Subject: [PATCH 2/5] reivew Signed-off-by: Charly Molter --- ...erify-image-signatures-and-attestations.md | 63 +++++++++++++++---- app/_indices/event-gateway.yaml | 1 + 2 files changed, 51 insertions(+), 13 deletions(-) diff --git a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md index 9d9904254cb..e4897b1e902 100644 --- a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md +++ b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md @@ -12,6 +12,8 @@ products: works_on: - konnect +tools: [] + breadcrumbs: - /event-gateway/ @@ -87,13 +89,21 @@ The output lists the supply chain artifacts (signatures and attestations) that a ## Verify the image signature -1. Read the manifest digest for the image with `regctl`: +1. Read the manifest digest for the image with `regctl` and store it in a variable: + + ```sh + export IMAGE_DIGEST=$(regctl manifest digest kong/kong-event-gateway:{{ egw_release.version }}) + echo $IMAGE_DIGEST + ``` + + This captures the image's `SHA-256` digest so you can reuse it in the commands below, and prints it: ```sh - regctl manifest digest kong/kong-event-gateway:{{ egw_release.version }} + sha256:... ``` + {:.no-copy-code} - The command outputs a `SHA-256` digest (`sha256:...`). Pinning to a digest guarantees you verify exactly the image you're going to run. + Pinning to a digest guarantees you verify exactly the image you're going to run, even if the tag is later repointed to a different image. 1. Verify the signature with `cosign verify`: @@ -104,13 +114,13 @@ The output lists the supply chain artifacts (signatures and attestations) that a -a workflow="CI" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ --certificate-identity="https://github.com/kong-gateway/event-gateway/.github/workflows/ci.yaml@refs/tags/v{{ egw_release.version }}" \ - kong/kong-event-gateway:{{ egw_release.version }} + kong/kong-event-gateway@${IMAGE_DIGEST} ``` If verification is successful, the response contains a summary of the checks that were performed: ``` - Verification for index.docker.io/kong/kong-event-gateway:{{ egw_release.version }} -- + Verification for index.docker.io/kong/kong-event-gateway@sha256:... -- The following checks were performed on each of these signatures: - The specified annotations were verified. - The cosign claims were validated @@ -123,12 +133,28 @@ The output lists the supply chain artifacts (signatures and attestations) that a {{site.event_gateway}} images carry several signed attestations. The most commonly used predicate types are: -| Attestation | Predicate type | `--type` value | -|-------------|----------------|----------------| -| SPDX SBOM | `https://spdx.dev/Document` | `spdxjson` | -| CycloneDX SBOM | `https://cyclonedx.org/bom` | `cyclonedx` | -| Vulnerability scan (SARIF) | `https://cosign.sigstore.dev/sarif/vuln/...` | `vuln` | -| CIS Docker benchmark | `https://cisecurity.org/docker/...` | _(use the full URL)_ | +{% table %} +columns: + - title: Attestation + key: attestation + - title: Predicate type + key: predicate_type + - title: "`--type` value" + key: type_value +rows: + - attestation: SPDX SBOM + predicate_type: "`https://spdx.dev/Document`" + type_value: "`spdxjson`" + - attestation: CycloneDX SBOM + predicate_type: "`https://cyclonedx.org/bom`" + type_value: "`cyclonedx`" + - attestation: Vulnerability scan (SARIF) + predicate_type: "`https://cosign.sigstore.dev/sarif/vuln/...`" + type_value: "`vuln`" + - attestation: CIS Docker benchmark + predicate_type: "`https://cisecurity.org/docker/...`" + type_value: "_(use the full URL)_" +{% endtable %} {:.info} > The exact set of attestations can change between releases. Use [`cosign tree`](#list-the-artifacts-attached-to-an-image) to see the authoritative list for the image you're verifying. @@ -140,7 +166,7 @@ cosign verify-attestation \ --type="spdxjson" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ --certificate-identity="https://github.com/kong-gateway/event-gateway/.github/workflows/ci.yaml@refs/tags/v{{ egw_release.version }}" \ - kong/kong-event-gateway:{{ egw_release.version }} + kong/kong-event-gateway@${IMAGE_DIGEST} ``` For predicate types that don't have a built-in alias, pass the full predicate type URL to `--type` instead, for example `--type="https://cisecurity.org/docker/amd64"`. @@ -150,9 +176,20 @@ For predicate types that don't have a built-in alias, pass the full predicate ty To save the SPDX SBOM to a file, download the attestations and filter for the SBOM predicate type with `jq`: ```sh -cosign download attestation kong/kong-event-gateway:{{ egw_release.version }} \ +cosign download attestation kong/kong-event-gateway@${IMAGE_DIGEST} \ | jq -r 'select((.dsseEnvelope.payload // .payload | @base64d | fromjson | .predicateType) == "https://spdx.dev/Document") | (.dsseEnvelope.payload // .payload) | @base64d | fromjson | .predicate' \ > sbom.spdx.json ``` This writes the SBOM document to `sbom.spdx.json`, which you can then feed into your SBOM tooling. To extract the CycloneDX SBOM instead, replace the predicate type with `https://cyclonedx.org/bom`. + +## Validate the extracted SBOM + +Confirm that the extracted file is valid JSON and contains the expected SPDX fields: + +```sh +jq -e '.spdxVersion and (.packages | length > 0)' sbom.spdx.json \ + && echo "Valid SPDX SBOM with $(jq '.packages | length' sbom.spdx.json) packages" +``` + +If the file is a well-formed SPDX SBOM, the command prints `true` followed by the package count. If `jq` reports a parse error or the expression evaluates to `false`, the download or filter step didn't produce a valid document. Re-check the predicate type and confirm the previous commands completed successfully. diff --git a/app/_indices/event-gateway.yaml b/app/_indices/event-gateway.yaml index ad837772049..d46daa8963a 100644 --- a/app/_indices/event-gateway.yaml +++ b/app/_indices/event-gateway.yaml @@ -44,6 +44,7 @@ sections: - path: /event-gateway/configure-sasl-plain-backend-cluster-auth/ - path: /event-gateway/configure-mtls-backend-cluster-auth/ - path: /event-gateway/validate-avro-messages-with-schema-registry/ + - path: /event-gateway/verify-image-signatures-and-attestations/ - title: "References" items: - title: Event Gateway OpenAPI specification From 1cf75b216251b6f51dbfcdea5318df2baf37c02b Mon Sep 17 00:00:00 2001 From: Charly Molter Date: Tue, 23 Jun 2026 09:25:48 +0200 Subject: [PATCH 3/5] fix vale Signed-off-by: Charly Molter --- ...erify-image-signatures-and-attestations.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md index e4897b1e902..38e922f04e0 100644 --- a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md +++ b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md @@ -103,7 +103,7 @@ The output lists the supply chain artifacts (signatures and attestations) that a ``` {:.no-copy-code} - Pinning to a digest guarantees you verify exactly the image you're going to run, even if the tag is later repointed to a different image. + Pinning to a digest guarantees you verify exactly the image you're going to run, even if the tag is later moved to a different image. 1. Verify the signature with `cosign verify`: @@ -138,22 +138,22 @@ columns: - title: Attestation key: attestation - title: Predicate type - key: predicate_type + key: predicate - title: "`--type` value" - key: type_value + key: type rows: - attestation: SPDX SBOM - predicate_type: "`https://spdx.dev/Document`" - type_value: "`spdxjson`" + predicate: "`https://spdx.dev/Document`" + type: "`spdxjson`" - attestation: CycloneDX SBOM - predicate_type: "`https://cyclonedx.org/bom`" - type_value: "`cyclonedx`" + predicate: "`https://cyclonedx.org/bom`" + type: "`cyclonedx`" - attestation: Vulnerability scan (SARIF) - predicate_type: "`https://cosign.sigstore.dev/sarif/vuln/...`" - type_value: "`vuln`" + predicate: "`https://cosign.sigstore.dev/sarif/vuln/...`" + type: "`vuln`" - attestation: CIS Docker benchmark - predicate_type: "`https://cisecurity.org/docker/...`" - type_value: "_(use the full URL)_" + predicate: "`https://cisecurity.org/docker/...`" + type: "_(use the full URL)_" {% endtable %} {:.info} From 591bf49230019956e6f5b6e8382adb255bd4e6e8 Mon Sep 17 00:00:00 2001 From: Charly Molter Date: Tue, 23 Jun 2026 10:22:32 +0200 Subject: [PATCH 4/5] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../event-gateway/verify-image-signatures-and-attestations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md index 38e922f04e0..c70038cbc6b 100644 --- a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md +++ b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md @@ -60,7 +60,7 @@ tldr: a: | {{site.event_gateway}} images are published to `kong/kong-event-gateway` on Docker Hub and signed with [Cosign](https://github.com/sigstore/cosign) using GitHub's OIDC identity. - List every supply chain artifact attached to an image with `cosign tree kong/kong-event-gateway:`, verify the image signature with `cosign verify`, and verify or extract individual attestations (SBOM, vulnerability scans) with `cosign verify-attestation`. + List every supply chain artifact attached to an image with `cosign tree kong/kong-event-gateway:VERSION`, verify the image signature with `cosign verify`, and verify or extract individual attestations (SBOM, vulnerability scans) with `cosign verify-attestation`. automated_tests: false --- From 84fa279efa58e9f63005dc3ec835a1716bc69986 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 1 Jul 2026 14:26:41 -0700 Subject: [PATCH 5/5] Minor edits + set minimum version Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com> --- .../verify-image-signatures-and-attestations.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md index c70038cbc6b..54968f8e778 100644 --- a/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md +++ b/app/_how-tos/event-gateway/verify-image-signatures-and-attestations.md @@ -12,6 +12,8 @@ products: works_on: - konnect +min_version: + event-gateway: '1.1.1' tools: [] breadcrumbs: @@ -96,7 +98,7 @@ The output lists the supply chain artifacts (signatures and attestations) that a echo $IMAGE_DIGEST ``` - This captures the image's `SHA-256` digest so you can reuse it in the commands below, and prints it: + This captures the image's SHA-256 digest so you can reuse it in the commands below, and prints it: ```sh sha256:... @@ -117,7 +119,7 @@ The output lists the supply chain artifacts (signatures and attestations) that a kong/kong-event-gateway@${IMAGE_DIGEST} ``` - If verification is successful, the response contains a summary of the checks that were performed: + If verification succeeds, the response contains a summary of the checks that were performed: ``` Verification for index.docker.io/kong/kong-event-gateway@sha256:... -- @@ -159,7 +161,7 @@ rows: {:.info} > The exact set of attestations can change between releases. Use [`cosign tree`](#list-the-artifacts-attached-to-an-image) to see the authoritative list for the image you're verifying. -To verify an attestation's signature and print its contents, use `cosign verify-attestation` with the matching `--type`. For example, to verify the SPDX SBOM: +To verify an attestation's signature and print its contents, use `cosign verify-attestation` with the matching `--type`. For example, to verify the SPDX SBOM, run: ```sh cosign verify-attestation \ @@ -169,7 +171,7 @@ cosign verify-attestation \ kong/kong-event-gateway@${IMAGE_DIGEST} ``` -For predicate types that don't have a built-in alias, pass the full predicate type URL to `--type` instead, for example `--type="https://cisecurity.org/docker/amd64"`. +For predicate types that don't have a built-in alias, pass the full predicate type URL to `--type` instead. For example: `--type="https://cisecurity.org/docker/amd64"`. ## Extract the SBOM