search

docker / go-imageinspect

Apache License 2.0
15 stars 2 forks source link

SBOM fallback generation #13

Open jedevc opened 1 year ago

jedevc commented 1 year ago

Not every image will have SBOMs attached to it (especially as it requires opt-in).

If an SBOM is requested, but one is not attached, we should attempt to create a scan of the image using one of the buildkit scanners as a fallback. This allows consumers of the library to more transparently consume SBOM results, and easily query it - this could be massively useful for the docker sbom command and similar.

We should probably only enable this behavior if there's some user-specified config to do this, so we should have a global config object for the loader that allows configuration of this behavior.

tonistiigi commented 1 year ago

1) Make sure the library doesn't run these things locally. This is not safe. To use this user would need to provide docker or buildkit endpoint. 2) This should be opt-in. It has very different performance characteristics than just reading the SBOM from the registry.