Harsh Thakur

The current docker command is [this](https://docs.docker.com/build/attestations/#creating-attestations), so a flag: `build --sbom=true`. I think we can remain docker-like in that aspect and have an environment variable that determines which SBOM plugin...

@samj1912 thanks for pointing it out. Just skimmed through it. I think we're after the same goal. OCI v1.1 draft spec is helping with interoperability. Re: attestations Feels like it's...

@loewenstein Agreed! OCI spec allows annotations to attach metadata like that.

I meant we should provide complete image sboms too but adhere to OCI 1.1 spec on how it suggests on doing it. In future, when we do runtime SBOMs, etc-...

Couple thoughts: There's been recent work in Buildkit and Docker to provide SBOM and provenance as part of the image. I think there's a lot that can be potentially re-used...

Thank you @Kloenk for this PR. I'm trying to setup a Linux builder on a non-default ssh port and it doesn't seem possible without this PR. Curious if there's an...