ratify icon indicating copy to clipboard operation
ratify copied to clipboard

Published 20 hours ago verified publisher icon ratify-project

Generate SBOM and Provenance metadata for Ratify release assets

Open akashsinghal opened this issue 9 months ago • 1 comments

What would you like to be added?

Ratify publishes images to GHCR. Ratify should generate and attach SBOM + provenance metadata to the published images.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • [ ] Yes, I am willing to implement it.

akashsinghal avatar May 02 '24 22:05 akashsinghal

There are 2 approaches here:

  1. Use docker buildx's --attest capability to generate Provenance and SBOM intoto attestations. These are attached to the image index as OCI images. This does NOT use the referrer method. However, multiple projects including GK already use this approach. It is also the simplest to implement.
  2. Generate SBOM SLSA provenance manually using corresponding tools and then use ORAS to attach to the image

akashsinghal avatar Jun 12 '24 20:06 akashsinghal

Closing since buildx attestation support has been added. New issue will be created to add SBOM and Provenance metadata as referrers artifacts attached to image.

akashsinghal avatar Aug 08 '24 00:08 akashsinghal