Generating SBOM for containers

[buger]

Is your feature request related to a problem? Please describe.

I see that for some reason SBOM feature does not work with generated containers.
Is there any reasons behind it? Anything community can help to make it work, can you give some direction on it?

Describe the solution you'd like

Be able generate SBOM for container artifacts

Describe alternatives you've considered

Having a separate job, running after goreleaser, which builds container SBOM

Search

• I did search for other open and closed issues before opening this.

Code of Conduct

• I agree to follow this project's Code of Conduct

Additional context

No response

[caarlos0]

I think it merely wasn't implemented...

If anyone wants to take a swing at it, I can give pointers here and/or discord...

The way I would go about it, probably, is to create a DockerPipe in the sbom package and implement the required methods, reusing the same code where it makes sense...

That should allow to run that particular pipe (sbom.DockerPipe) in the publish phase (instead of the build phase as the regular sbom.Pipe runs), which if I recall is how syft et al works (they publish the image with the sbom attached afaik - if that's incorrect we might do something different though).

FWIW: it works for kos.

[caarlos0]

Using buildx, you can also add --attest to your dockers build_flag_templates: https://docs.docker.com/engine/sbom/?cmdf=docker+sbom