feat: being able to automatically pull and record attached SBOMS #244
Description
A common use-case for people building and signing container images is to use cosign. Cosign allows not only to sign such container images but also in-toto attestations and SBOMS.
An operator, using Chainloop, might want to leverage this container image metadata and inject it as pieces of evidence.
Today this is possible by manually downloading the sbom (i.e oras pull) and then adding it to the attestation chainloop att add ....
We should simplify this process by automatically downloading, extracting and attaching such sboms.
One way we could do it is by extending the contract format
From
schemaVersion: v1
materials:
- type: CONTAINER_IMAGE
name: image
output: true
- type: SBOM_CYCLONEDX_JSON
name: sbomto
schemaVersion: v1
materials:
- type: CONTAINER_IMAGE
name: image
output: true
sboms:
- type: SBOM_CYCLONEDX_JSON
name: sbomnote how now operators can indicate that the container image to be added must "contain" an sbom. This new contract will indicate Chainloop CLI to find and download the sbom and attach it as sbom material type.
Note that this SBOMs might some as in-toto predicates too so we need to make sure we support not only raw spdx/cyclonedx artifacts but also in-toto specs