Open jkowalleck opened 7 months ago
-c conda-forge
as the default channel
verify_signature()
https://github.com/conda/conda-content-trust/blob/main/conda_content_trust/authentication.py#L253
Conda Security Practices > conda install "conda>=4.10.1" "conda-token>=0.3.0" conda-content-trust conda token set --enable-signature-verification <YOUR_PRODUCT_TOKEN>
Conda version 23.10+ uses libmamba as the default solver, which bypasses signature verification. If you are using conda 23.10 or later, you must configure your .condarc file to use the classic environment solver by running the following command:
conda config --set solver classic
docker build
builds containers from Dockerfiles with BuildKit.docker scout sbom
: https://docs.docker.com/reference/cli/docker/scout/sbom/By default, only the final build result is scanned - because of this, the resulting SBOM will not include build-time dependencies that may be installed in separate stages or the build context. This could cause you to miss vulnerabilities in those dependencies, which could impact the security of your final build artifacts.
To include these build-time dependencies from your Dockerfile, you can set the build arguments BUILDKIT_SBOM_SCAN_CONTEXT and BUILDKIT_SBOM_SCAN_STAGE to additionally scan the build context and other build stages respectively.
podman build --sbom
https://docs.podman.io/en/stable/markdown/podman-build.1.html#sbom-preset
Conda as a package manager is no longer supported since version 4. However, conda's Python environments are fully supported via the methods listed above. See the docs for an example.
- [ ] DOC: what does this mean?
this project is not about any python specifics. python specifics are managed by https://github.com/CycloneDX/cyclonedx-python.
this project is not about podman/docker/container specifics. It is about conda.
Conda provides package, dependency, and environment management for any language
Therefore, the vision is to have a tool that can generate a SBOM for all "package, dependency, and environment management" conda does.
This project is currently looking for contributors.
Drop a note, or ping, if you are interested.