dfarrell07
commented
1 year ago It looks like the relevant KubeCon recording isn't uploaded yet, but when it is it'll be here: https://www.youtube.com/playlist?list=PLj6h78yzYM2PR4KLskmLmNU20VtEnUMlw
Open skitt opened 1 year ago
dfarrell07
commented
1 year ago It looks like the relevant KubeCon recording isn't uploaded yet, but when it is it'll be here: https://www.youtube.com/playlist?list=PLj6h78yzYM2PR4KLskmLmNU20VtEnUMlw
dfarrell07
commented
1 year ago Newer versions of Buildx have a SBOM feature that looks cool. It seems like it'll capture software used during the build process even if it's not in the final container build, which I don't know how we could achieve otherwise.
https://github.com/docker/buildx/releases/tag/v0.10.0 https://github.com/moby/buildkit/blob/v0.11.0/docs/attestations/sbom.md
It can also create attestations about the build process and environment:
https://github.com/moby/buildkit/blob/v0.11.0/docs/attestations/slsa-provenance.md
What would you like to be added:
Publish SBOMs alongside our release artifacts (container images,
subctlbinaries etc.).Why is this needed:
This allows end-users to accurately determine the contents of our release artifacts. It might be possible to use
krelto help with this; see this KubeCon presentation for details.