copacetic icon indicating copy to clipboard operation
copacetic copied to clipboard
verified publisher icon project-copacetic

[QUESTION] add SBOM Attestation to patched images

Open R3DRUN3 opened this issue 1 year ago • 2 comments

What is your question?

Is there a way out-of-the-box to attach a Software Bill of Material to patched images, see for example this.
I searched in the docs and in the code but could not find anything.
It will be super usefull, especially when using copa github action.

R3DRUN3 avatar Jan 15 '24 16:01 R3DRUN3

@R3DRUN3 not at this time, out of box sbom generation (docker implementation) would require #298

you can generate container sboms with 3rd party tooling such as trivy sbom or syft today though. there are a few options for attaching secure supply chain artifacts, such as attaching via referrers (used by oras), tags (used by cosign) or part of oci index/manifest list (used by docker)

sozercan avatar Jan 16 '24 21:01 sozercan

@sozercan Thank you! At present, I have implemented my use case using Syft.

R3DRUN3 avatar Jan 17 '24 05:01 R3DRUN3