ko icon indicating copy to clipboard operation
ko copied to clipboard

Published 20 hours ago verified publisher icon ko-build

ko sbom binding strategy problem

Open nemre opened this issue 1 year ago • 1 comments

Hello, when I use buildx, it binds the sbom data directly into the manifest. But ko pushes it as a tag. How can we do this like docker buildx does? BTW, docker scout cannot detect sboms in the main image created via ko.

nemre avatar Feb 19 '24 10:02 nemre

ko follows the cosign's SBOM spec for this, for more detail, you can take a look, here, whereas BuildX has its standards like they use another manifest with platform and arch set as unknown, you can take a look, here. This is where OCI Referrers API comes in a handy to avoid these kind of separation between tools of handling these software supply chain materials.

developer-guy avatar Feb 19 '24 10:02 developer-guy

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.

github-actions[bot] avatar May 20 '24 01:05 github-actions[bot]