diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index 0b5d42746c..dcd9af9d62 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -18,6 +18,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: login to GitHub Container Registry
         run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
 
@@ -31,6 +36,11 @@ jobs:
         run: |
           make docker-publish-initContainer
 
+      - name: Sign image
+        run: |
+          KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyvernopre:${KYVERNO_IMAGE_VERSION}
+
   push-kyverno:
     runs-on: ubuntu-latest
     steps:
@@ -45,6 +55,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: login to GitHub Container Registry
         run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
 
@@ -58,6 +73,11 @@ jobs:
         run: |
           make docker-publish-kyverno
 
+      - name: Sign image
+        run: |
+          KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/kyverno/kyverno:${KYVERNO_IMAGE_VERSION}
+
   push-kyverno-cli:
     runs-on: ubuntu-latest
     steps:
@@ -72,6 +92,11 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+
       - name: login to GitHub Container Registry
         run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
 
@@ -83,4 +108,9 @@ jobs:
 
       - name: docker images publish
         run: |
-          make docker-publish-cli
\ No newline at end of file
+          make docker-publish-cli
+
+      - name: Sign image
+        run: |
+          KYVERNO_IMAGE_VERSION=$(git describe --match "v[0-9]*")
+          echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY_PASSWORD }}" | cosign sign -key <(echo -n "${{ secrets.KYVERNO_COSIGN_PRIVATE_KEY }}") ghcr.io/-cli:${KYVERNO_IMAGE_VERSION}
diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 0000000000..c7a558d4c7
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxWHpvn2uMYqg174TmTcnGELOXXM
+7/cGqLZW88FFceihl1WA24yKxtMBZqw/s06XqPqujqRzhkaSKa2zkRUWUA==
+-----END PUBLIC KEY-----
\ No newline at end of file