# Trusted Images, Harbor, and Signing > **Intro:** Registry trust is where build security becomes deployment security. A team that scans code but promotes untrusted or unsigned images still has a weak supply chain. ## Core ideas * curated base images; * private registry controls; * image scanning before promotion; * signing and verification before deployment; * traceability from source revision to artifact digest. ## Why provenance matters The critical question is not only “did the scanner pass?” but also: * where did the image come from? * who built it? * what exactly is inside it? * can we prove the promoted image is the one we intended to run? ## Practical Harbor-oriented pattern ### Promotion tiers * **sandbox** — developer experimentation and short-lived builds; * **integration** — scanned candidate images; * **release** — approved and signed images only; * **production mirror** — tightly controlled pull source. ### Minimum policy expectations * only approved projects or robot accounts may push to release repos; * vulnerability gates apply before promotion; * tags used for humans, **digests** used for precise deployment decisions; * retention rules prevent old and confusing artifacts from accumulating; * audit logs retained for push, delete, retag, and project-policy changes. ## Signing and verification model A practical image-trust story usually includes: * build image; * scan image; * generate SBOM; * sign the image after it passes policy; * verify signature or trust policy before deploy. ## What to store as release evidence * source revision; * build pipeline identifier; * image digest; * scanner result summary; * signing event and signer identity; * environment promotion decision. ## Common mistakes * trusting tags instead of digests for production deploys; * scanning once in dev but not again at release time; * allowing direct push into high-trust registries; * mixing public and internal artifacts in the same trust tier; * no process to rebuild and republish when base images change. ## Cross-links * [Dockerfile Security Best Practices](/cloud-kubernetes-and-infrastructure-security/index-1/dockerfile-security-best-practices.md) * [Security Quality Gates and Release Blocking](/devsecops-cicd-and-supply-chain/index-1/security-quality-gates-and-release-blocking.md) * [Repository Secret Scanning](/application-security-and-secure-sdlc/index-1/repository-secret-scanning.md) * [Harbor Registry Hardening](/devsecops-cicd-and-supply-chain/index-1/harbor-registry-hardening.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index-1/trusted-images-harbor-and-signing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.