spin icon indicating copy to clipboard operation
spin copied to clipboard

Published 20 hours ago verified publisher icon fermyon

Generate and sign SBOM through spin

Open NissesSenap opened this issue 1 month ago • 0 comments

Background

There is a general push for SBOMs in the software community, especially after the executive order back in 2021.

I have very limited knowledge about the WASM community, so I have no idea how hard this would be. But the Kubernetes community is working hard on making tooling around good security defaults better all the time.

If spin could make it easy to generate SBOM for both the generated WASM and the container, I know that will help the WASM community in the long run.

Solution

Preferably, it should be possible to generate SBOMs according to the two existing standards.

This could be a separate issue, but it would also be nice if to use sigstore to sign of the WASM binary, container image and the SBOM could be done easily through spin. This is, for example, something that ko is doing by default.

NissesSenap avatar Jul 02 '24 15:07 NissesSenap