Error
Error: repo digest unavailable for the image, has it been pushed to or pulled from a registry?
Why this happens
When kosli attest artifact is called with --artifact-type=docker, Kosli asks the local Docker daemon for the image’s repo digest (the SHA256 of the image manifest in a registry). A repo digest is only attached to an image once it has been pushed to or pulled from a registry. A freshly built image (just docker build) has an image ID, but no repo digest, and Kosli will refuse to attest it.
This often surfaces in CI even when the same command appears to work locally. Locally, the image may have been pushed or pulled at some earlier point and the digest is cached on the machine. On a fresh CI runner, the image is only ever built, so the digest is genuinely missing.
You can confirm the difference with:
docker inspect --format '{{json .RepoDigests}}' <image>
[]. An image pulled from or pushed to a registry returns one or more digest entries.
Solutions
Pick whichever fits your pipeline best.
Push the image first, then attest
docker push <registry>/<image>:<tag>
kosli attest artifact <registry>/<image>:<tag> --artifact-type=docker ...
Use --artifact-type=oci
If the image is already in a registry, oci fetches the digest directly via the registry API and does not require a local Docker daemon at all:
kosli attest artifact <registry>/<image>:<tag> \
--artifact-type=oci \
--registry-username=$REGISTRY_USER \
--registry-password=$REGISTRY_TOKEN \
...
Provide the fingerprint directly
If you have already computed a fingerprint elsewhere in your pipeline, pass it with --fingerprint and drop --artifact-type entirely. The fingerprint must still match what runtime reporters will see for the artifact in your environments, so it should normally be the registry digest.Last modified on April 28, 2026
