Provide a flag to enable users to pull referrers from an image manifest to local.
Why is this needed for ORAS?
In containers secure supply chain scenario, users may pull referrers (e.g. SBOM, signature, vuln scanning report) only without pulling a subject image. Suppose there is a large image with referrers in the registry, users may want to verify the supply chain metadata before pulling and using the image locally. It will reduce the performance and bandwidth cost.
Are you willing to submit PRs to contribute to this feature?
What is the version of your ORAS CLI
ORAS v1.2.0-beta.1
What would you like to be added?
Provide a flag to enable users to pull referrers from an image manifest to local.
Why is this needed for ORAS?
In containers secure supply chain scenario, users may pull referrers (e.g. SBOM, signature, vuln scanning report) only without pulling a subject image. Suppose there is a large image with referrers in the registry, users may want to verify the supply chain metadata before pulling and using the image locally. It will reduce the performance and bandwidth cost.
Are you willing to submit PRs to contribute to this feature?