Skip to content

Use Docker to generate and attest SBOMs #3309

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Use Docker to generate and attest SBOMs#3309
Assignees
AryanBakliwal
Labels
enhancementNew feature or requestsecuritystatus: in-progress
@rakshitgondwal

Description

@rakshitgondwal
rakshitgondwal
opened on Mar 20, 2024

Goal

Use docker/build-push-action to generate and attest SBOM.

Details

Right now we are using anchore/sbom-action to generate SBOMs for our images. This means we are generating SBOMs post our build process.
It is better to generate SBOMs during build process as it makes it easy for us to detect software we use to build our image, that may not show up in the final image.

Thus we should use docker/build-push-action to generate and attest the SBOM as the building of the image is done via this action only.

References

https://docs.docker.com/build/ci/github-actions/attestations/

DoD

  • SBOMs are being generated and attested using docker/build-push-action during the release pipeline
  • SBOMs are not generated during CI builds
  • Test if this is working properly, probably can use crane.
  • anchore/sbom-action is removed.

Metadata

Assignees

Labels

enhancementNew feature or requestsecuritystatus: in-progress

Type

No type

Projects

Keptn Lifecycle Toolkit

  • Status

    No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions