ko
ko copied to clipboard
Published
20 hours ago •
ko-build
ko-build
Include build VCS + env information in SBOMs
Binaries built using Go 1.18+ have extra info embedded, e.g., for ko itself:
build -compiler=gc
build CGO_ENABLED=0
build CGO_CFLAGS=
build CGO_CPPFLAGS=
build CGO_CXXFLAGS=
build CGO_LDFLAGS=
build GOARCH=amd64
build GOOS=darwin
build GOAMD64=v1
build vcs=git
build vcs.revision=895cff9823bdde4341ebd3b1893307a42d12e1f4
build vcs.time=2022-03-28T13:55:53Z
build vcs.modified=true
We should collect this and put it into SPDX and CycloneDX SBOMs.
And https://github.com/google/ko/issues/366 -- gosh, I've wanted this for a while. 🙃
This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}