crane-validate

Validate an image

$ crane validate

$ crane validate --fast

$ crane validate --remote [image_name]

$ crane validate --tarball [path/to/tarball]

$ crane validate [[-h|--help]]

crane validate [options] <image> [<layers>...]

-a, --all-platforms
    Validate all platforms in multi-platform index manifests

-c, --checksum <string>
    Expected checksum; fails if image digest mismatches

-d, --dry-run
    List violations without non-zero exit code

-v, --verbose
    Enable verbose logging for detailed diagnostics

The crane validate command is part of the crane CLI tool from the Google go-containerregistry project. It verifies that a given OCI image or artifact conforms to the OCI Image Specification and OCI Image Layout.

When invoked, it fetches the image manifest or index from a remote registry, parses it, and checks:
• Validity of JSON structures in manifests and configs.
• Content-addressable storage (CAS) for layers via digests.
• Proper media types.
• Platform-specific validations if specified.

It reports violations like mismatched digests, invalid media types, or missing required fields. Use --dry-run to list issues without exiting non-zero, ideal for CI/CD pipelines. Primarily for remote images (e.g., docker.io/library/nginx:latest), it supports multi-platform indexes with --all-platforms.

Essential for ensuring image integrity before deployment, especially in secure supply chains with Sigstore/cosign integration.

Requires network access for remote images; local tarballs unsupported; does not verify signatures (use cosign verify).

Basic: crane validate docker.io/library/alpine:latest
Dry-run: crane validate -d gcr.io/project/image:tag
Multi-platform: crane validate -a docker.io/library/nginx:latest

0: Valid image
1: Validation failures (use -d to inspect without error)

Introduced in crane v0.2.0 (2020) as part of go-containerregistry by Google; evolved with OCI v1.1 support in later releases for enhanced multi-arch validation.

crane(1), skopeo(1), regctl(1), cosign(1)