[QUESTION] add SBOM Attestation to patched images

project-copacetic / copacetic

🧵 CLI tool for directly patching container images!

https://project-copacetic.github.io/copacetic/

Apache License 2.0

979 stars 67 forks source link

[QUESTION] add SBOM Attestation to patched images #472

Open R3DRUN3 opened 9 months ago

R3DRUN3 commented 9 months ago

What is your question?

Is there a way out-of-the-box to attach a Software Bill of Material to patched images, see for example this.
I searched in the docs and in the code but could not find anything.
It will be super usefull, especially when using copa github action.

sozercan commented 9 months ago

@R3DRUN3 not at this time, out of box sbom generation (docker implementation) would require #298

you can generate container sboms with 3rd party tooling such as trivy sbom or syft today though. there are a few options for attaching secure supply chain artifacts, such as attaching via referrers (used by oras), tags (used by cosign) or part of oci index/manifest list (used by docker)

R3DRUN3 commented 9 months ago

@sozercan Thank you! At present, I have implemented my use case using Syft.