diff --git a/README.md b/README.md
index f67f8ffd33..d848b64f4f 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@
 [![Slack](https://img.shields.io/static/v1?label=openssf.slack.com&message=%23slsa-tooling&color=4A154B&logo=slack)](https://slack.openssf.org/)
 [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
 
-<img align="right" src="https://slsa.dev/images/logo-mono.svg" width="140" height="140">
+<img alt="SLSA logo" align="right" src="https://slsa.dev/images/logo-mono.svg" width="140" height="140">
 
 <!-- markdown-toc --bullets="-" -i README.md -->
 
diff --git a/SPECIFICATIONS.md b/SPECIFICATIONS.md
index 38d80d271a..e28afb8ef2 100644
--- a/SPECIFICATIONS.md
+++ b/SPECIFICATIONS.md
@@ -234,7 +234,7 @@ Given an artifact and a signed provenance, we perform the following steps:
 
 3. **Extract the builder identity from the signing certificate**: Extract certificate information (see [here](https://github.com/sigstore/fulcio/blob/c74e2cfb763dd32def5dc921ff49f579fa262d96/docs/oid-info.md#136141572641--fulcio) for extension OIDs). Verify that the signing certificate’s subject name (job_workflow_ref) is the trusted builder ID at a trusted hash (calling repository SHA in the diagram below). This verifies authenticity of the provenance and guarantees the provenance was correctly populated.
 
-   <img src="images/cert.svg" width="70%" height="70%">
+   <img alt="certificate OIDs" src="images/cert.svg" width="70%" height="70%">
 
 4. **Verify the provenance attestation against a policy, as usual**: Parse the authenticated provenance and match the subject digest inside the provenance with the artifact digest. Additionally verify builder ID, configSource, and other properties according to policy.
 
@@ -277,7 +277,7 @@ More specifically, below are a list of threats we aim to protect against:
 | Build same repo same version but non-default branch                                | Branch and versions both added to provenance using GitHub's trigger payload                                                                                                                                                                                   | Verify provenance info                         |
 | Build same repo different builder                                                  | Sigstore embeds trusted builder's path in cert                                                                                                                                                                                                                | Verify cert's workflow path                    |
 | Build same repo using user-defined workflow                                        | Sigstore embeds builder's path in cert                                                                                                                                                                                                                        | Verify cert's workflow path                    |
-| Forge valid certificate with different repo/hash/builder through GitHub token leak | Token expires when job is complete, cleared after unmarshalling                                                                                                                                                                                               |
+| Forge valid certificate with different repo/hash/builder through GitHub token leak | Token expires when job is complete, cleared after unmarshalling                                                                                                                                                                                               |                                                |
 | Malicious env variables                                                            | Only accepts `CGO_*` and `GO*` env variables                                                                                                                                                                                                                  | Note: should be left to the verifier to decide |
 | Script injections                                                                  | Filter option names using allow-list + use execve()                                                                                                                                                                                                           | Note: should be left to the verifier to decide |
 | Malicious compiler options                                                         | Use allow-list                                                                                                                                                                                                                                                | Note: should be left to the verifier to decide |