-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upload SBOM directly to OCI registry #592
Comments
we (w/@Dentrax) are the volunteers of this issue, btw 😍 |
Awesome!!!! |
I think this feature would be related to #510 — having Syft perform a Cosign-style attest operation, and putting the attestation into the OCI registry. As far as CLI syntax, for #510 we realized that we want this to be separate from the format flag ( My two cents: a similar approach would make sense for Syft following the
Thinking that What do you think? |
yeah, SGTM, we (w/@Dentrax) can make it happen if you all agree on this Let me summarize the steps that we are going to take:
is that all we need @luhring, WDYT? |
@developer-guy I think so! If we think of any more considerations, we'll put them here 😃 Thanks for taking this on. 🙏 Reach out at any point if it's not obvious to how use the existing patterns or Syft API for what you're doing and we'll jump in to take a look ❤️ |
I think making The better UX IMHO would be passing a By the way, a new cc: @developer-guy |
Absolutely. On the implementation side, we can generate an SBOM in multiple execution paths. So we could make sure the Another reason why I think the
I'm not sure I understand this part. If an SBOM has already been generated, why would users want to do the "attach" with |
This was discussed in the Anchore community WG meeting today (notes available at https://docs.google.com/document/d/1ZtSAa6fj2a6KRWviTn3WoJm09edvrNUp4Iz_dOjjyY8/edit ) - These were the options that were proposed -
In the WG meeting, people were leaning towards the latter + clear documentation to note that syft is compatible with cosign unless there are some other advantages to natively supporting cosign in syft that we missed. |
The cosign behavior is documented here as a "spec", with the intention of being interoperable! https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md Either approach sounds great to me. |
Added sigstore/cosign#1278 to update the spec as well |
Just catching up — if we're going with option 2 from the comment above, does that mean there's no work in Syft code for this any more, and it's just documentation? (of the flow for |
@luhring that's correct :) sigstore/cosign#1137 and sigstore/cosign#1278 handle the syft support and documentation on the cosign side. We just need to do the same at https://github.com/anchore/syft#adding-an-sbom-to-an-image-as-an-attestation to also mention sbom attachments |
Perfect, thanks @samj1912! |
Hi folk, as @samj1912 said, syft is now capable of uploading SBOM in form of in-toto attestation format to the registries, also, there is another option like "cosign attach", but AFAIK, there is still no direct support for uploading SBOMs to the OCI registries. Maybe, we could add another output option like "oci" to support this, the UX would be: # will upload SBOM in a json format by using "application/vnd.syft+json" mediaType
$ syft packages alpine:latest -o json --upload/export oci://devopps/my-sbom-img |
We could not decide which UX is better @developer-guy:
BREAKING CHANGE: Introduce
|
kindly ping |
From discussion:
|
What would you like to be added:
cosign supports attaching SBOMs to OCI registries1 (also has a spec for it 2), so we (w/@Dentrax) thought that it would be nice to have the same one for Syft, here is the design that we thought.
Why is this needed:
Additional context:
cc: @dlorenc @luhring
Footnotes
https://github.com/sigstore/cosign/blob/1f67ea73113f76c62429aa605d75105d77c370fa/cmd/cosign/cli/attach.go#L57 ↩
https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md ↩
The text was updated successfully, but these errors were encountered: