diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 22d9db06..797ec44e 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -9,6 +9,11 @@ jobs:
   deploy_containers:
     name: Build and deploy container images
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     strategy:
       matrix:
         image-name: ["kas", "kas-isar"]
@@ -35,6 +40,7 @@ jobs:
       - name: Build ${{ matrix.image-name }} image
         uses: docker/build-push-action@v5
         if: ${{ env.PUSH_MASTER == 'true' }}
+        id: push
         with:
           context: /home/runner/kas-clone
           target: ${{ matrix.image-name }}
@@ -46,3 +52,9 @@ jobs:
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
+      - name: Attest ${{ matrix.image-name }} image
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/next.yml b/.github/workflows/next.yml
index a441b04a..7d4f2d54 100644
--- a/.github/workflows/next.yml
+++ b/.github/workflows/next.yml
@@ -65,6 +65,11 @@ jobs:
     name: Build, test and deploy container images
     needs: perform_tests
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     strategy:
       matrix:
         image-name: ["kas", "kas-isar"]
@@ -96,6 +101,7 @@ jobs:
           ../../kas-container build kas.yml
       - name: Complete build and deploy ${{ matrix.image-name }} image
         uses: docker/build-push-action@v5
+        id: push
         with:
           context: /home/runner/kas-clone
           target: ${{ matrix.image-name }}
@@ -107,3 +113,9 @@ jobs:
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:next
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
+      - name: Attest ${{ matrix.image-name }} image
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e02a026f..36115fec 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,11 @@ jobs:
   deploy_containers:
     name: Build and deploy container images
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
     strategy:
       matrix:
         image-name: ["kas", "kas-isar"]
@@ -25,6 +30,7 @@ jobs:
           image-name: ${{ matrix.image-name }}
       - name: Build ${{ matrix.image-name }} image
         uses: docker/build-push-action@v5
+        id: push
         with:
           context: /home/runner/kas-clone
           target: ${{ matrix.image-name }}
@@ -39,3 +45,9 @@ jobs:
             ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:${{ env.RELEASE_VERSION }}
             ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:latest-release
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
+      - name: Attest ${{ matrix.image-name }} image
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true