lifecycle-toolkit icon indicating copy to clipboard operation
lifecycle-toolkit copied to clipboard

Published 20 hours ago verified publisher icon keptn

Use Docker to generate and attest SBOMs

Open rakshitgondwal opened this issue 3 months ago • 2 comments

Goal

Use docker/build-push-action to generate and attest SBOM.

Details

Right now we are using anchore/sbom-action to generate SBOMs for our images. This means we are generating SBOMs post our build process. It is better to generate SBOMs during build process as it makes it easy for us to detect software we use to build our image, that may not show up in the final image.

Thus we should use docker/build-push-action to generate and attest the SBOM as the building of the image is done via this action only.

References

https://docs.docker.com/build/ci/github-actions/attestations/

DoD

  • SBOMs are being generated and attested using docker/build-push-action during the release pipeline
  • SBOMs are not generated during CI builds
  • Test if this is working properly, probably can use crane.
  • anchore/sbom-action is removed.

rakshitgondwal avatar Mar 20 '24 10:03 rakshitgondwal