Docker provenance refers to the origin and history of Docker images, including how they were built, modified, and by whom. An SBOM (Software Bill of Materials) is a detailed list of all components in a software application, providing transparency about libraries, dependencies, and versions used, which is crucial for security and compliance.
What was done?
Add SBOM and provenance to docker build; this may allow some level of validation that GitHub actions is actually doing what it says it is.
Issue being fixed or feature implemented
Docker provenance refers to the origin and history of Docker images, including how they were built, modified, and by whom. An SBOM (Software Bill of Materials) is a detailed list of all components in a software application, providing transparency about libraries, dependencies, and versions used, which is crucial for security and compliance.
What was done?
Add SBOM and provenance to docker build; this may allow some level of validation that GitHub actions is actually doing what it says it is.
See this for more information https://docs.docker.com/build/ci/github-actions/attestations/
How Has This Been Tested?
Building with buildx with sbom and provenance flags locally
Breaking Changes
None
Checklist:
Go over all the following points, and put an
xin all the boxes that apply.