Open R3DRUN3 opened 9 months ago
@R3DRUN3 not at this time, out of box sbom generation (docker implementation) would require #298
you can generate container sboms with 3rd party tooling such as trivy sbom
or syft
today though.
there are a few options for attaching secure supply chain artifacts, such as attaching via referrers (used by oras), tags (used by cosign) or part of oci index/manifest list (used by docker)
@sozercan Thank you! At present, I have implemented my use case using Syft.
What is your question?
Is there a way out-of-the-box to attach a Software Bill of Material to patched images, see for example this.
I searched in the docs and in the code but could not find anything.
It will be super usefull, especially when using copa github action.