You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cosign is a popular image signing tool that also has a well-spec'd way of attaching SBOMs to an output image. Grype should take this information into account when an image is given as input and if the cosign attached SBOM contains grype compatible SBOM formats, it should try and use those for scanning.
Why is this needed:
This allows users to attach an SBOM to an image before hand in a consistent fashion.
I like this! We had talked about something similar for if there were SBOM attestations available for the specified image. But attachments are good, too. @developer-guy feel free to take a stab at it — want me to assign you? 😎
Let's make sure we are on the right path when this is picked up -- there are quite a few ways to implement this, and we'd like to make sure that the community can understand exactly what is going on with these SBOMs.
What would you like to be added:
cosign is a popular image signing tool that also has a well-spec'd way of attaching SBOMs to an output image. Grype should take this information into account when an image is given as input and if the cosign attached SBOM contains grype compatible SBOM formats, it should try and use those for scanning.
Why is this needed:
This allows users to attach an SBOM to an image before hand in a consistent fashion.
Additional context:
Cosign will also add syft sbom support soon - sigstore/cosign#1137
The text was updated successfully, but these errors were encountered: