Auto-attach SBOM to built images #70
Description
Produce SBOM
syft scan --output=spdx-json docker:fn61/varastoWhich SBOM format
| source | recommendation |
|---|---|
| syft | spdx-json |
| docker/build-push-action | in-toto(slsa.dev/provenance/v0.2) |
| Docker scout | in-toto(spdx) + in-toto(slsa.dev/provenance/v0.2) |
| Earthly | spdx-json |
in-toto seems to support embedding different types of provenance information:
- in-toto's own provenance spec: https://slsa.dev/spec/v1.1/provenance
- SPDX inside in-toto doc: https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md
- in pseudo:
intotoStatement(spdxDocument) - it's essentially embedding JSON doc inside JSON doc so there's two different specs together parsing one logical document. looks 🤮
- in pseudo:
Docker seems to be:
- pushing ~hard this
intotoStatement(spdxDocument)format by docker/build-push-action defaulting to this - using Syft
Attach SBOM
how to attach?
- syft's recommendation to use attachment (why? it would need to be signed separately...) cannot be taken seriously, as they don't attach SBOMs to their Syft container image
- Docker scout (
docker/scout-sbom-indexer) seems to usevnd.docker.reference.type=attestation-manifestin manifest list:
$ oras manifest fetch --pretty docker.io/docker/scout-sbom-indexer:latest
...
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:03865443655036205f8a4cf442d0af176b68a02c377845fbb72707589b673ca3",
"size": 840,
"annotations": {
"vnd.docker.reference.digest": "sha256:e05300973c21517504acf05f23cbe58143cb064d6d32df3795a2b109d38323e5",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform": {
"architecture": "unknown",
"os": "unknown"
}
}
...which then seems to reference two different in-toto predicates:
$ oras manifest fetch --pretty docker.io/docker/scout-sbom-indexer@sha256:03865443655036205f8a4cf442d0af176b68a02c377845fbb72707589b673ca3
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:ce272640038585b336aa097ff69d84c4881ea8b471ec71852487491c29e5c706",
"size": 241
},
"layers": [
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:86261ce202310d44ecdcde38b46f7aa906a2a72769e266d7b7ee41ba14f6a1b4",
"size": 444687,
"annotations": {
"in-toto.io/predicate-type": "https://spdx.dev/Document"
}
},
{
"mediaType": "application/vnd.in-toto+json",
"digest": "sha256:6afc53b64077ce177775dd166ee96ede98439012b0161cc3bffe6f864598ccbc",
"size": 23463,
"annotations": {
"in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
}
}
]
}