Open natalieparellano opened 9 months ago
Maintainers,
As you review this RFC please queue up issues to be created using the following commands:
/queue-issue <repo> "<title>" [labels]...
/unqueue-issue <uid>
(none)
Couple thoughts: There's been recent work in Buildkit and Docker to provide SBOM and provenance as part of the image. I think there's a lot that can be potentially re-used or integrated directly.
Attestation storage: They've achieved it via storing all the attestations in a single manifest, which I thought was pretty neat compared to the "image tag of sha256-hash
" way of doing things- https://docs.docker.com/build/attestations/attestation-storage
Other aspect that I think worth looking at is scanners . This will change the model of "who generates the SBOM?" . Often times, I've found not all buildpacks provide SBOMs and there's no easy fallback mechanism. I think having such scanners might help to provide a fallback or even merge the SBOMs to enrich them.
Buildkit supports attestations natively on the newer versions. So that might be handy. https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-provenance.md
Readable