Closed naveensrinivasan closed 2 years ago
@dlorenc @azeemshaikh38 @inferno-chromium @laurentsimon Thoughts?
Updating the scope of this issue as per yesterday's discussion. We already have #309 for the cosign issue. Let's use this issue to instead track the generation of SBOM for Scorecards.
Stale issue message
The proposal is to generate SBOM for
gcr.io/openssf/scorecard
and sign the docker image and the SBOM with cosignSBOM
A “Software Bill of Materials” (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. The following documents were drafted by stakeholders in an open and transparent process to address transparency around software components and were approved by a consensus of participating stakeholders.
source https://www.ntia.gov/SBOM
Tool to generate SBOM
Recently the k8s team built a tool for generating SBOM https://github.com/kubernetes/release/blob/master/cmd/bom/README.md which is not specific to k8s. It generates in SPDX format.
cosign
cosign will be used to sign the SBOM and the docker container as part of the merge to main. The SBOM and the signature would be store in
gcr.io
Keys
The private keys and public keys for signing the image would be store as plain text in the scorecard repository. The public key can be used to verify the validity of the signature.