search

ratify-project / ratify

Artifact Ratification Framework
https://ratify.dev
Apache License 2.0
188 stars 56 forks source link

Generate SBOM and Provenance metadata for Ratify release assets #1436

Open akashsinghal opened 2 months ago

akashsinghal commented 2 months ago

What would you like to be added?

Ratify publishes images to GHCR. Ratify should generate and attach SBOM + provenance metadata to the published images.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

akashsinghal commented 3 weeks ago

There are 2 approaches here:

  1. Use docker buildx's --attest capability to generate Provenance and SBOM intoto attestations. These are attached to the image index as OCI images. This does NOT use the referrer method. However, multiple projects including GK already use this approach. It is also the simplest to implement.
  2. Generate SBOM SLSA provenance manually using corresponding tools and then use ORAS to attach to the image