diff --git a/docs/kacti/docs/supply-chain-security/verifying-images.md b/docs/kacti/docs/supply-chain-security/verifying-images.md
new file mode 100644
index 0000000..c38ef59
--- /dev/null
+++ b/docs/kacti/docs/supply-chain-security/verifying-images.md
@@ -0,0 +1,23 @@
+---
+sidebar_position: 2
+---
+
+# Verifying kacti images
+Kacti images are signed using Sigstore, and provenance is recorded in the public-good Rekor instance.
+
+You can verify the provenance of Kacti images using `cosign`:
+```
+$ kacti images --list
+CVE: CVE-2021-44228 -> Image: quay.io/kacti/log4shell@sha256:f72efa1cb3533220212bc49716a4693b448106b84ca259c20422ab387972eed9
+
+$ cosign verify \
+   --certificate-oidc-issuer https://github.com/login/oauth \
+   --certificate-identity shane.boulden@gmail.com \
+   quay.io/kacti/log4shell@sha256:f72efa1cb3533220212bc49716a4693b448106b84ca259c20422ab387972eed9
+
+Verification for quay.io/kacti/log4shell@sha256:f72efa1cb3533220212bc49716a4693b448106b84ca259c20422ab387972eed9 --
+The following checks were performed on each of these signatures:
+  - The cosign claims were validated
+  - Existence of the claims in the transparency log was verified offline
+  - The code-signing certificate was verified using trusted certificate authority certificates 
+```
\ No newline at end of file