create apko YAML from an SBOM

chainguard-dev / apko

Build OCI images from APK packages directly without Dockerfile

https://apko.dev

Apache License 2.0

1.2k stars 122 forks source link

create apko YAML from an SBOM #167

Open kaniini opened 2 years ago

kaniini commented 2 years ago

It would be neat to generate apko YAML files from an SBOM, something like:

syft packages alpine:latest --output cyclonedx-json | apko import -f cyclonedx > alpine-latest.yaml

But it seems like these SBOMs don't capture repository lists, or what is actually an /etc/apk/world dependency. Maybe we can work with Anchore on this?

luhring commented 2 years ago

Let's do it!

We've talked before about the possibility of re-hydrating artifacts from SBOMs. (This came up in an sget conversation a couple times, I think). I think it's super cool.

If Syft started capturing repositories and world dependencies, would that be enough information to create a suitable apko YAML file?

kaniini commented 2 years ago

Yeah, absolutely!