I noticed that Syft JSON SBOMs were previously supported in the deprecated cosign attach sbom command. With the move to the new SBOM attestations workflow, Syft JSON is no longer a supported --type. Currently, the supported types are:
slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom
While --type custom could technically carry a Syft JSON file, it is not automatically recognized as an SBOM by most tools, and users lose the native workflow integration they previously had.
Enhancement request:
- Add native support for Syft JSON as a recognized --type in cosign attest.
- This would simplify workflows for teams that:
- Use Syft for SBOM generation
- Rely on Grype/VEX for vulnerability scanning
- Want to attach SBOMs directly to container images without generating duplicate formats (CycloneDX/SPDX)
Was there a specific reason Syft JSON was removed as a --type when moving from cosign attach sbom to the new SBOM attestations workflow?
I noticed that Syft JSON SBOMs were previously supported in the deprecated cosign attach sbom command. With the move to the new SBOM attestations workflow, Syft JSON is no longer a supported --type. Currently, the supported types are:
While --type custom could technically carry a Syft JSON file, it is not automatically recognized as an SBOM by most tools, and users lose the native workflow integration they previously had.
Enhancement request:
Was there a specific reason Syft JSON was removed as a --type when moving from cosign attach sbom to the new SBOM attestations workflow?