Priya Wadhwa

Hey @developer-guy thanks for opening this issue, I think it's a really good idea! It looks like some of these tools build SBOMs from the container image and some from...

Ya that sounds good to me! tbh we could probably end up supporting both options, I can see either being valuable to people. I think this change should be small...

/remove-lifecycle stale

/remove-lifecycle rotten

Thanks for catching this, we definitely should be verifying the SCT! Unfortunately it looks like just swapping might not work, seems like the dependency you pointed out (`"github.com/google/certificate-transparency-go/x509"`) depends on...

/remove-lifecycle stale

/remove-lifecycle stale

/remove-lifecycle stale

For 1, I think it should still be ok to have just the `tekton-chains-controller` KSA since it'll be per namespace. I'd also like more clarity around (2) if that's the...

So the current expectation is that only Successful TaskRuns would go through the Chains workflow. I thought we take care of that here -- https://github.com/tektoncd/chains/blob/a86f18ba896a55487bc1381f70a8e20646748070/pkg/reconciler/taskrun/taskrun.go#L51-L54 but if it's not working...