ko sbom binding strategy problem

[nemre]

Hello, when I use buildx, it binds the sbom data directly into the manifest. But ko pushes it as a tag. How can we do this like docker buildx does? BTW, docker scout cannot detect sboms in the main image created via ko.

[developer-guy]

ko follows the cosign's SBOM spec for this, for more detail, you can take a look, here, whereas BuildX has its standards like they use another manifest with platform and arch set as unknown, you can take a look, here. This is where OCI Referrers API comes in a handy to avoid these kind of separation between tools of handling these software supply chain materials.