Which practice helps prevent tampering of container images before deployment in cloud environments?

Ensuring container images have a verifiable origin and haven’t been altered before deployment is essential. A trusted registry plus image signing provides both provenance and integrity checks. The registry ensures you’re pulling from a controlled source that enforces policies, while signing attaches a cryptographic signature to the image. At deployment time, the system verifies that signature against a trusted key; if the image has been tampered with or is not from a trusted source, it will be rejected. This combination prevents unauthorized changes from slipping into production and gives you confidence that the image you run is exactly what was built and approved. Other options don’t address this tampering risk: firewall rules filter network traffic, not the image contents; encrypting network traffic protects data in transit but not the integrity of the image itself; disabling version control removes provenance and makes it harder to track or detect changes.