Skip to main content
Early accessElevarq Analyzer is not yet generally available — this manual documents the current build.Request an evaluation →
Elevarq Analyzer docs · Verify the image

How-to guide

Verify the image and SBOM

Confirm the Workbench container image you pulled is the one Elevarq published, before you run it. Verification uses public inputs only — no Elevarq-issued credentials are needed. Do this once per release tag you deploy.

Tools

  • cosign v2.x — from sigstore/cosign.
  • jq (to resolve the digest and parse the SBOM).

Verify the image signature

Every release-tagged image is signed by the Workbench release workflow using Cosign keyless OIDC — the signing identity is the workflow itself, recorded in the public Rekor transparency log. Resolve the digest, then verify it:

TAG=v0.1.0
DIGEST=$(docker buildx imagetools inspect \
  "ghcr.io/elevarq/workbench:${TAG}" \
  --format '{{json .}}' | jq -r '.manifest.digest')

cosign verify "ghcr.io/elevarq/workbench@${DIGEST}" \
  --certificate-identity-regexp '^https://github.com/Elevarq/.+/\.github/workflows/release\.yml@.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

A successful verification prints, among other lines:

Verification for ghcr.io/elevarq/workbench@sha256:...
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
A failure aborts with a non-zero exit. Do not run an image whose signature does not verify.

What verification proves — and doesn't

It proves the image was built and signed by the published Workbench release workflow at the named tag, and that the signing event is in the public transparency log. It does not prove:

  • That the image is free of defects — combine it with the SBOM and your own scanning.
  • That a license artefact is authentic — license verification is a separate path Workbench performs itself at activation, against its embedded public key ring.
  • That the host is hardened — host-OS posture is your responsibility.

Download and inspect the SBOM

Each release attaches a Software Bill of Materials in SPDX JSON format (asset name arq-workbench-<tag>-sbom.spdx.json). Download it from the release page, then inspect the package list:

# count packages
jq '.packages | length' arq-workbench-v0.1.0-sbom.spdx.json

# list name + version
jq -r '.packages[] | "\(.name) \(.versionInfo)"' arq-workbench-v0.1.0-sbom.spdx.json

With a verified signature and the SBOM in hand, continue to the getting-started tutorial.

PreviousDeploy on Kubernetes (Helm)NextCreate the first admin

Run Workbench

docker pull ghcr.io/elevarq/workbench:v0.1.0

Pin a digest in production — verify the image.

Request an evaluationSignals docs