diff --git a/digest/digest.go b/digest/digest.go
index d465c2175..6efec5699 100644
--- a/digest/digest.go
+++ b/digest/digest.go
@@ -51,6 +51,9 @@ func NewDigestFromHex(alg, hex string) Digest {
 // DigestRegexp matches valid digest types.
 var DigestRegexp = regexp.MustCompile(`[a-zA-Z0-9-_+.]+:[a-fA-F0-9]+`)
 
+// DigestRegexpAnchored matches valid digest types, anchored to the start and end of the match.
+var DigestRegexpAnchored = regexp.MustCompile(`^` + DigestRegexp.String() + `$`)
+
 var (
 	// ErrDigestInvalidFormat returned when digest format invalid.
 	ErrDigestInvalidFormat = fmt.Errorf("invalid checksum digest format")
@@ -114,7 +117,7 @@ func (d Digest) Validate() error {
 
 	// Continue on for general parser
 
-	if !DigestRegexp.MatchString(s) {
+	if !DigestRegexpAnchored.MatchString(s) {
 		return ErrDigestInvalidFormat
 	}
 
diff --git a/digest/digest_test.go b/digest/digest_test.go
index 52da03334..9e9ae3566 100644
--- a/digest/digest_test.go
+++ b/digest/digest_test.go
@@ -48,6 +48,11 @@ func TestParseDigest(t *testing.T) {
 			input: "d41d8cd98f00b204e9800998ecf8427e",
 			err:   ErrDigestInvalidFormat,
 		},
+		{
+			// not hex
+			input: "sha256:d41d8cd98f00b204e9800m98ecf8427e",
+			err:   ErrDigestInvalidFormat,
+		},
 		{
 			input: "foo:d41d8cd98f00b204e9800998ecf8427e",
 			err:   ErrDigestUnsupported,