Puerco
Puerco
While attestations are done and the code to sign and attach them is ready, using them is not finished yet.
If you specify sign=false and try to attach the unsigned attestation to an image, it will most likely fail as we have code to unmarshal the dsse envelope but not...
We should create a bunch of diagrams to illustrate how the whole image flow works
Currently, we read the known VEX data for a project from a simple file. At some point I think we should store it in the registry using a schema that...
Currently, to attest VEX data in an image, we point `vexctl` to a file containing the known VEX info for a project. We should think of a way to trust...
This PR wires SBOM generation into the melange build process. It creates basic SBOMs for all apks built by melange. The SBOMs themselves only inventory the apk contents and write...
This PR introduces the first iteration of the melange development environment. It is based on the apko equivalent with two main differences: 1. It uses our apko image to build...
We need to build a minimal SBOM generator into melange. The initial POC of the generator should be able to take the information from the OpenSBOM parsers and render a...
Add support for build-time SBOM generation by integrating the go parser from opensbom https://github.com/chainguard-dev/melange/issues/137#tasklist-block-f9e67421-5b10-42b6-b2ab-2662ecfef34b
Add support for build-time SBOM generation in rust projects by integrating the cargo parser from opensbom https://github.com/chainguard-dev/melange/issues/138#tasklist-block-9668ece8-edaf-47d5-88e3-6e89d97a82c2