$flareo verify <image|digest># any registry. any image. cryptographic checks only.
DON'T TRUST US. VERIFY YOURSELF.
Paste any public image reference — from Flareo, Docker Hub, GHCR, Quay, anywhere. We run cosign signature checks against public Sigstore infrastructure and surface what we find. If the image is in our catalog, you get the full receipt chain. If it isn't, you still learn whether it's signed, by whom, and what Rekor says about it. No Flareo server sits in the verification path.
01PASTE AN IMAGE OR DIGEST
TRY:
02VERIFICATION RESULTS
awaiting input
Paste an image above and hit verify. You'll see three independent checks run against public infrastructure. Flareo does not proxy or cache these calls.
ASIGNATURE
IS THE IMAGE REALLY FROM FLAREO?
Validates the cosign signature against the Sigstore Fulcio certificate authority, confirming the image was signed by Flareo's GitHub Actions build identity.
cosign → Rekor transparency log
BVULNERABILITIES
ARE THERE KNOWN CVES?
Scans every layer against the NVD, GitHub Advisory Database, and OS package advisories. Reports severity counts.
trivy → NVD + GHSA + Debian
CPROVENANCE
WHAT BUILT THIS IMAGE?
Checks the SLSA provenance attestation. Confirms the builder identity and hermetic build status.
slsa-verifier → in-toto attestation
03RUN LOCALLY / SKIP FLAREO ENTIRELY
Or paste these into your own terminal.
The whole point of cryptographic verification is that you shouldn't need to trust the person showing you the receipts. Install cosign, trivy, and slsa-verifier locally, then run the three commands below. You'll get the exact same output.
Why would I trust a tool called "verify" that you control?
You shouldn't. That's why every check here maps to a command you can run in your own terminal, against public infrastructure we don't operate — Sigstore's Fulcio and Rekor, the NVD vulnerability database. If our tool lied, you'd see it immediately by running the plain commands.
Q2
What do these three checks actually prove together?
That the image you're about to pull was built by Flareo's pipeline on a specific date, from a known source commit, in a hermetic environment, with zero (or a known count of) CVEs at build time. Missing any one check leaves a gap an attacker could exploit.
Q3
What don't these checks cover?
Runtime behavior. A signed, scanned, attested image can still have a subtle logic bug or a backdoor planted in the source code before we built it. We verify the supply chain, not the code itself. You still need code review.
Q4
Can I automate this in my CI pipeline?
Yes. All three tools (cosign, trivy, slsa-verifier) return standard exit codes. Wire them into your deploy step with set -e and the pipeline will halt if any check fails. A GitHub Actions workflow template is in our docs.