Skip to main content

Ratify

Ratify is an open-source verification engine for container images and other supply chain artifacts that evaluates policy-based attestations before deployment in cloud-native environments (supply chain security).

  • Verification of container images and artifacts against supply chain policies using attestations and signatures (supply chain security).
  • Pluggable verification architecture that supports extensible verifiers and policy engines (extensibility / policy enforcement).
  • Integration with Kubernetes admission control workflows for pre-deployment validation (Kubernetes security / admission control).
  • Support for verifying software supply chain metadata such as SBOMs and security attestations (software supply chain observability / compliance).
  • Alignment with CNCF ecosystem practices around secure software delivery and artifact governance (cloud-native security / governance).

More About Ratify

Ratify is an open-source verification engine focused on securing the software supply chain by validating container images and other artifacts before they are admitted into runtime environments, particularly Kubernetes clusters (supply chain security). It is part of the Cloud Native Computing Foundation (CNCF) ecosystem and is designed to address enterprise requirements for policy-driven verification of artifacts published to registries and used in cloud-native platforms.

The project centers on the idea that artifacts should carry verifiable metadata, such as signatures, software bills of materials (SBOMs), and vulnerability or compliance attestations (software supply chain observability). Ratify consumes this metadata and evaluates it against configured policies to determine whether an artifact is allowed. This approach enables organizations to enforce controls such as requiring signed images, verified provenance, or validated SBOMs before workloads are deployed.

Ratify exposes a pluggable framework for verifiers and policy engines (extensibility / policy enforcement). Verifiers implement the logic required to validate a specific type of metadata or attestation format, while policy engines determine how multiple verification results are combined into an admission decision. This modular design allows enterprises to integrate Ratify with various signing systems, attestation formats, and policy tools used in their environments, while maintaining a consistent verification workflow across clusters and registries.

In Kubernetes environments, Ratify is typically deployed as part of the admission control path (Kubernetes security / admission control). It can be integrated with validating admission webhooks or related mechanisms so that whenever a new workload references an image, Ratify evaluates the associated artifacts stored in container registries. If the verification or policy checks fail, the workload admission can be denied, enforcing organization-wide supply chain rules at cluster boundaries.

Ratify interoperates with cloud-native registries and artifact stores that support signatures and attestations (artifact management). It is designed to work with existing registry features for storing OCI-conformant artifacts and their related metadata, allowing centralized management of both images and attestations. This enables centralized governance over which artifacts can run in production environments and how verification is applied across development, staging, and production stages.

For enterprises, Ratify provides a control point for enforcing supply chain security and compliance requirements in automated pipelines and runtime admission workflows (governance / compliance). Platform and security teams can define verification policies once and reuse them across clusters, reducing manual checks and aligning deployment practices with internal security baselines and external regulatory frameworks. In a technical directory, Ratify fits into categories such as software supply chain security, Kubernetes admission control, artifact verification, and cloud-native governance tooling.