> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kosli.com/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.kosli.com/feedback

```json
{
  "path": "/troubleshooting/repo_digest_unavailable",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

# Repo digest unavailable

> How to fix the "repo digest unavailable for the image" error when running kosli attest artifact with --artifact-type=docker.

## Error

```
Error: repo digest unavailable for the image, has it been pushed to or pulled from a registry?
```

## Why this happens

When `kosli attest artifact` is called with `--artifact-type=docker`, Kosli asks the local Docker daemon for the image's **repo digest** (the SHA256 of the image manifest in a registry). A repo digest is only attached to an image once it has been pushed to or pulled from a registry. A freshly built image (just `docker build`) has an image ID, but no repo digest, and Kosli will refuse to attest it.

This often surfaces in CI even when the same command appears to work locally. Locally, the image may have been pushed or pulled at some earlier point and the digest is cached on the machine. On a fresh CI runner, the image is only ever built, so the digest is genuinely missing.

You can confirm the difference with:

```bash theme={"theme":"dracula","languages":{"custom":["/languages/rego.json"]}}
docker inspect --format '{{json .RepoDigests}}' <image>
```

A built-but-never-pushed image returns `[]`. An image pulled from or pushed to a registry returns one or more digest entries.

## Solutions

Pick whichever fits your pipeline best.

### Push the image first, then attest

```bash theme={"theme":"dracula","languages":{"custom":["/languages/rego.json"]}}
docker push <registry>/<image>:<tag>
kosli attest artifact <registry>/<image>:<tag> --artifact-type=docker ...
```

This is the most direct fix and produces an attestation tied to the registry digest.

### Use `--artifact-type=oci`

If the image is already in a registry, `oci` fetches the digest directly via the registry API and does not require a local Docker daemon at all:

```bash theme={"theme":"dracula","languages":{"custom":["/languages/rego.json"]}}
kosli attest artifact <registry>/<image>:<tag> \
  --artifact-type=oci \
  --registry-username=$REGISTRY_USER \
  --registry-password=$REGISTRY_TOKEN \
  ...
```

### Provide the fingerprint directly

If you have already computed a fingerprint elsewhere in your pipeline, pass it with `--fingerprint` and drop `--artifact-type` entirely. The fingerprint must still match what runtime reporters will see for the artifact in your environments, so it should normally be the registry digest.