Open akashsinghal opened 2 months ago
There are 2 approaches here:
docker buildx
's --attest
capability to generate Provenance and SBOM intoto attestations. These are attached to the image index as OCI images. This does NOT use the referrer method. However, multiple projects including GK already use this approach. It is also the simplest to implement.
What would you like to be added?
Ratify publishes images to GHCR. Ratify should generate and attach SBOM + provenance metadata to the published images.
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this feature?