Add support for reading attached SBOMs to an image in cosign format #519
Assignees
Labels
enhancement
New feature or request
Comments
|
I'm so impressed and jealous 🤩 please let me know if I can help about anything 🙋🏻♂️ |
|
I like this! We had talked about something similar for if there were SBOM attestations available for the specified image. But attachments are good, too. @developer-guy feel free to take a stab at it — want me to assign you? 😎 |
|
I'd think we'd ultimately want to support all 3 of the SBOM formats:
|
|
Happy to help as well :) |
|
@samj1912 That'd be great! 🙏 |
|
Let's make sure we are on the right path when this is picked up -- there are quite a few ways to implement this, and we'd like to make sure that the community can understand exactly what is going on with these SBOMs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
cosign is a popular image signing tool that also has a well-spec'd way of attaching SBOMs to an output image. Grype should take this information into account when an image is given as input and if the cosign attached SBOM contains grype compatible SBOM formats, it should try and use those for scanning.
Why is this needed:
This allows users to attach an SBOM to an image before hand in a consistent fashion.
Additional context:
Cosign will also add syft sbom support soon - sigstore/cosign#1137
The text was updated successfully, but these errors were encountered: