Jason Hall

Does `bom` expect the `go` executable to be present? The "`go executbale not found`" error sounds suspicious. If so, basing its image on `static` will be a problem. Can you...

https://github.com/GoogleContainerTools/kaniko/pull/2386

> Hi, Do you plan to merge it soon ? I'm not actively contributing to Kaniko. @chuangw6 might know if someone at Google is interested in reviewing and merging this...

We talked about this some today and came up with some ideas: If `CGO_ENABLED=1` explicitly, and you requested multiple platforms, we can check if `zig` is installed and invoke it...

Sorry the example moved to https://github.com/chainguard-images/images/tree/main/images/ko/example

https://github.com/ko-build/ko/pull/585

This issue is closed actually, since we're generating SPDX SBOMs in JSON (or "SPDXSBOMiJSON" for short 🙃 ) The issue that SBOMs are pushed with `spdx+json` was fixed in cosign...

This might be fixed in `ko` at head: https://github.com/ko-build/ko/issues/970#issuecomment-1456951250

I'd love to! I think we'd want to have govulncheck's findings end up in an attestation attached to the built image, and likely signed. This would make it blocked on...

I think we should include detected license information, and I have yet to find a better way to do it than this. Reopening to continue the discussion.