dotnet-docker icon indicating copy to clipboard operation
dotnet-docker copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Attach SBOMs to images in the container registry

Open lbussell opened this issue 8 months ago • 3 comments

  • https://learn.microsoft.com/en-us/azure/security/container-secure-supply-chain/articles/attach-sbom
  • https://oras.land/blog/oras-0.14-and-future/#attach-the-sbom-to-this-image

We can use the ORAS tool to directly attach SBOMs to our images in our container registry. This makes the content of our images more discoverable and opens up the possibility for automation based on the SBOM (for example, rebuilds when we have CVEs or package updates). This can decouple the "scanning" of the image from the actions based on that scan.

SBOMs are an attestation/supply chain artifact and can also be signed:

image

Example

SBOM Discovery

$ oras discover -o tree $IMAGE

myregistry.azurecr.io/net-monitor:v1
├── sbom/example
│   └── sha256:4f1843833c029ecf0524bc214a0df9a5787409fd27bed2160d83f8cc39fedef5
│       └── signature/example
│           └── sha256:3c43b8cb0c941ec165c9f33f197d7f75980a292400d340f1a51c6b325764aa93
├── readme/example
│   └── sha256:5fafd40589e2c980e2864a78818bff51ee641119cf96ebb0d5be83f42aa215af
└── signature/example
    └── sha256:00da2c1c3ceea087b16e70c3f4e80dbce6f5b7625d6c8308ad095f7d3f6107b5

Additional Context

Related:

  • #4589
  • https://github.com/dotnet/dotnet-docker/issues/1455

lbussell avatar May 29 '24 17:05 lbussell