Open Vad1mo opened 3 weeks ago
Currently, we are signing the images with cosign, we should also attach the generated SBOMs (from goreleasers or otherwise) to the image
here is a guide: https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/attestation/sbom/
Currently, we are signing the images with cosign, we should also attach the generated SBOMs (from goreleasers or otherwise) to the image
here is a guide: https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/attestation/sbom/