Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Docker to generate and attest SBOMs #3309

Open
rakshitgondwal opened this issue Mar 20, 2024 · 2 comments · May be fixed by #3387
Open

Use Docker to generate and attest SBOMs #3309

rakshitgondwal opened this issue Mar 20, 2024 · 2 comments · May be fixed by #3387
Assignees
@AryanBakliwal
Labels
enhancement New feature or request security status: in-progress

Comments

@rakshitgondwal
Copy link
Member

rakshitgondwal commented Mar 20, 2024
edited

Goal

Use docker/build-push-action to generate and attest SBOM.

Details

Right now we are using anchore/sbom-action to generate SBOMs for our images. This means we are generating SBOMs post our build process.
It is better to generate SBOMs during build process as it makes it easy for us to detect software we use to build our image, that may not show up in the final image.

Thus we should use docker/build-push-action to generate and attest the SBOM as the building of the image is done via this action only.

References

https://docs.docker.com/build/ci/github-actions/attestations/

DoD

  • SBOMs are being generated and attested using docker/build-push-action during the release pipeline
  • SBOMs are not generated during CI builds
  • Test if this is working properly, probably can use crane.
  • anchore/sbom-action is removed.
@mowies mowies added status: ready-for-refinement Issue is relevant for the next backlog refinment enhancement New feature or request labels Mar 20, 2024
@mowies mowies removed the status: ready-for-refinement Issue is relevant for the next backlog refinment label Apr 3, 2024
@AryanBakliwal
Copy link
Contributor

Hi @rakshitgondwal, I would like to work on this issue.

@rakshitgondwal
Copy link
Member Author

Sure, go ahead @AryanBakliwal

@AryanBakliwal AryanBakliwal linked a pull request Apr 4, 2024 that will close this issue
Draft
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AryanBakliwal AryanBakliwal

Labels
enhancement New feature or request security status: in-progress
Projects
Keptn Lifecycle Toolkit
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: use docker to generate and attest SBOMs AryanBakliwal/lifecycle-toolkit
3 participants
@mowies @rakshitgondwal @AryanBakliwal