Skip to content
Latchkey

Policy "no attestations ... denied" (kyverno / cosign policy) in CI

An image policy (Kyverno verifyImages or a cosign policy) requires a signed attestation of a given type from a trusted identity. It denies the image when no such attestation is attached or the identity/type does not match.

What this error means

A policy check in CI (or admission in a kind cluster during CI) denies the image with "no matching attestations", "attestation check failed", or "image is not signed".

policy
resource Pod/default/app was blocked due to the following policies
check-attestations:
  autogen-check-attestations: 'image ghcr.io/acme/app@sha256:... failed: .attestors[0]: no matching attestations'

Common causes

The required attestation is missing

The image was pushed without the SBOM or provenance attestation the policy demands, so admission finds nothing to check.

Identity or predicate type in the policy does not match

The policy pins an issuer, subject, or predicate type that does not equal what actually signed the attestation, so no attestation qualifies.

How to fix it

Attach the attestation the policy expects

  1. Attest the image with the predicate type the policy requires.
  2. Sign with the identity (issuer and subject) the policy trusts.
  3. Re-run the policy check against the image digest.
Terminal
cosign attest --yes --type slsaprovenance \
  --predicate provenance.json ghcr.io/acme/app@sha256:...

Align the policy attestors with the real signer

Set the policy issuer, subject, and predicate type to match the keyless identity and attestation type your pipeline produces.

policy.yaml
attestations:
  - predicateType: https://slsa.dev/provenance/v1
    attestors:
      - entries:
          - keyless:
              issuer: https://token.actions.githubusercontent.com
              subject: "https://github.com/acme/app/*"

How to prevent it

  • Attest every image with the predicate type your policy requires.
  • Keep the policy issuer, subject, and predicate type in sync with signing.
  • Test the policy against a signed image before enforcing it.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →