Closed krancour closed 2 years ago
Obviously, there's a big focus on securing the software supply chain right now.
This seems to be a good step in the right direction.
It should be fairly easy to automate SBOM generation from Docker images we've built and pushed. Syft seems as if it does the trick.
We likely need a different tool for the CLI. spdx-sbom-generator is from the Linux Foundation and seems as if it may be a viable option.
As for what we do with the SBOMs... for now, it seems we could tar them up and add them to the releases page.
Obviously, there's a big focus on securing the software supply chain right now.
This seems to be a good step in the right direction.
It should be fairly easy to automate SBOM generation from Docker images we've built and pushed. Syft seems as if it does the trick.
We likely need a different tool for the CLI. spdx-sbom-generator is from the Linux Foundation and seems as if it may be a viable option.
As for what we do with the SBOMs... for now, it seems we could tar them up and add them to the releases page.