Open lbussell opened 1 month ago
Also related: https://github.com/dotnet/docker-tools/issues/1151
[Triage] There are several questions we'd like to get more clarity on:
[Triage] Before diving into the mechanics of how and when and to what versions to attach SBOMs for, we should research what SBOM generator tools generate for our images. For example, what does .NET's SBOM look like? Is it presentable, or even useful? That should be a prerequisite to attaching SBOMs to our images.
We can use the ORAS tool to directly attach SBOMs to our images in our container registry. This makes the content of our images more discoverable and opens up the possibility for automation based on the SBOM (for example, rebuilds when we have CVEs or package updates). This can decouple the "scanning" of the image from the actions based on that scan.
SBOMs are an attestation/supply chain artifact and can also be signed:
Example
SBOM Discovery
Additional Context
Related:
4589