Docker Image Security Guide
LiteLLM signs every Docker image published to GHCR with cosign starting from v1.83.0. This page covers how to verify signatures, enforce verification in CI/CD, and follow recommended deployment patterns.
Signed images​
All image variants published to ghcr.io/berriai/ are signed with the same cosign key:
| Image | Description |
|---|---|
ghcr.io/berriai/litellm | Core proxy |
ghcr.io/berriai/litellm-database | Proxy with Postgres dependencies |
ghcr.io/berriai/litellm-non_root | Non-root variant |
ghcr.io/berriai/litellm-spend_logs | Spend-logs sidecar |
The signing key was introduced in commit 0112e53 and the public key is checked into the repository at cosign.pub.
Enterprise images (litellm-ee) follow the same signing process. Contact support@berri.ai to confirm coverage for your specific enterprise image tag.
Verify image signatures​
Install cosign following the official instructions.
Verify with the pinned commit hash (recommended)​
A commit hash is cryptographically immutable, making this the strongest verification method:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
ghcr.io/berriai/litellm:v1.83.0-stable
Replace the image reference with any signed variant:
# litellm-database
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
ghcr.io/berriai/litellm-database:v1.83.0-stable
# litellm-non_root
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
ghcr.io/berriai/litellm-non_root:v1.83.0-stable
Verify with a release tag (convenience)​
Tags are protected in this repository and resolve to the same key:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/v1.83.0-stable/cosign.pub \
ghcr.io/berriai/litellm-database:v1.83.0-stable
Expected output​
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
Enforce verification in CI/CD​
Kubernetes — Sigstore Policy Controller​
The Sigstore Policy Controller rejects pods whose images fail cosign verification.
- Install the controller:
helm repo add sigstore https://sigstore.github.io/helm-charts
helm install policy-controller sigstore/policy-controller \
-n cosign-system --create-namespace
- Create a
ClusterImagePolicywith the LiteLLM public key:
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: litellm-signed-images
spec:
images:
- glob: "ghcr.io/berriai/litellm*"
authorities:
- key:
data: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKi4ivqGpE231OGH50PKbqy1Y1Kkb
POJC8+i2Wko82gBOUCe3M0Vw86H/4rhUhfoYEti4gdJ9wZbYmK0I2EE96g==
-----END PUBLIC KEY-----
- Label the namespace to enable enforcement:
kubectl label namespace litellm policy.sigstore.dev/include=true
Any pod in that namespace using an unsigned ghcr.io/berriai/litellm* image will be rejected at admission.
GCP — Binary Authorization​
Binary Authorization can enforce cosign signatures on Cloud Run and GKE.
- Create a cosign-based attestor using the LiteLLM public key:
# Import the public key into a Cloud KMS keyring or use a PGP/PKIX attestor.
# See: https://cloud.google.com/binary-authorization/docs/creating-attestors-console
-
Configure a Binary Authorization policy that requires the attestor for
ghcr.io/berriai/litellm*images. -
Enable the policy on your Cloud Run service or GKE cluster.
Refer to the GCP Binary Authorization docs for full setup steps.
AWS — ECS / ECR​
AWS does not natively verify cosign signatures at deploy time. Common approaches:
- CI/CD gate: Run
cosign verifyin your deployment pipeline before pushing to ECR or updating the ECS task definition. Fail the pipeline if verification fails. - OPA/Gatekeeper on EKS: If running on EKS, use the Sigstore Policy Controller (same as the Kubernetes approach above).
GitHub Actions gate​
Add a verification step before any deployment job:
- name: Verify LiteLLM image signature
run: |
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
ghcr.io/berriai/litellm-database:${{ env.LITELLM_VERSION }}
Recommended deployment patterns​
Pin by digest​
Digest pinning guarantees the exact image content regardless of tag mutations:
image: ghcr.io/berriai/litellm-database@sha256:<digest>
Get the digest after pulling:
docker inspect --format='{{index .RepoDigests 0}}' \
ghcr.io/berriai/litellm-database:v1.83.0-stable
Cosign verification works with digests too:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
ghcr.io/berriai/litellm-database@sha256:<digest>
Use stable release tags​
If digest pinning is too rigid for your workflow, use -stable release tags (e.g. v1.83.0-stable). These are immutable release tags that will not be overwritten.
Avoid main-latest or main-stable in production — these rolling tags point to the most recent build and can change between deployments.
Safe upgrade checklist​
- Verify the new image — run
cosign verifyagainst the new release tag or digest. - Test in staging — deploy the verified image to a non-production environment.
- Update your pinned reference — change the digest or tag in your deployment manifest.
- Deploy to production — roll out using your standard deployment process.
- Monitor
/health— confirm the proxy is healthy after the upgrade.
Further reading​
- CI/CD v2 announcement — background on LiteLLM's signing infrastructure
- Docker deployment guide — full Docker, Helm, and Terraform setup
- cosign documentation — cosign usage and key management
- Sigstore Policy Controller — Kubernetes admission control