create apko YAML from an SBOM

[kaniini]

It would be neat to generate apko YAML files from an SBOM, something like:

syft packages alpine:latest --output cyclonedx-json | apko import -f cyclonedx > alpine-latest.yaml

But it seems like these SBOMs don't capture repository lists, or what is actually an /etc/apk/world dependency. Maybe we can work with Anchore on this?

[luhring]

Let's do it!

We've talked before about the possibility of re-hydrating artifacts from SBOMs. (This came up in an sget conversation a couple times, I think). I think it's super cool.

If Syft started capturing repositories and world dependencies, would that be enough information to create a suitable apko YAML file?

[kaniini]

Yeah, absolutely!