Use Docker to generate and attest SBOMs

[rakshitgondwal]

Goal

Use docker/build-push-action to generate and attest SBOM.

Details

Right now we are using anchore/sbom-action to generate SBOMs for our images. This means we are generating SBOMs post our build process.
It is better to generate SBOMs during build process as it makes it easy for us to detect software we use to build our image, that may not show up in the final image.

Thus we should use docker/build-push-action to generate and attest the SBOM as the building of the image is done via this action only.

References

https://docs.docker.com/build/ci/github-actions/attestations/

DoD

• SBOMs are being generated and attested using docker/build-push-action during the release pipeline
• SBOMs are not generated during CI builds
• Test if this is working properly, probably can use crane.
• anchore/sbom-action is removed.

[AryanBakliwal]

Hi @rakshitgondwal, I would like to work on this issue.

[rakshitgondwal]

Sure, go ahead @AryanBakliwal