shizhMSFT
commented
6 months ago Pre-requisite issues:
- [ ] #1159
Related issues:
-
346
-
834
-
1177
Open FeynmanZhou opened 6 months ago
shizhMSFT
commented
6 months ago Pre-requisite issues:
Related issues:
What is the version of your ORAS CLI
ORAS v1.2.0-beta.1
What would you like to be added?
Provide a flag to enable users to pull referrers from an image manifest to local.
Why is this needed for ORAS?
In containers secure supply chain scenario, users may pull referrers (e.g. SBOM, signature, vuln scanning report) only without pulling a subject image. Suppose there is a large image with referrers in the registry, users may want to verify the supply chain metadata before pulling and using the image locally. It will reduce the performance and bandwidth cost.
Are you willing to submit PRs to contribute to this feature?