When building multi stage images in CI/CD with DHI bases, what recommended approach to preserve SBOMs & attestations for compliance? See example

[godfreyowidi]

WORKDIR /services
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o {servicename} ./services/{servicename}/cmd/main.go

FROM dhi.io/alpine-base:3.23
RUN apk add --no-cache ca-certificates tzdata
WORKDIR /home/{project}
COPY --from=builder /services/{servicename} .
USER 1000:1000
EXPOSE 8080
CMD ["./servicename"]

[cdupuis]

@godfreyowidi, this documentation page should help with that: https://docs.docker.com/build/metadata/attestations/sbom/#arguments

It outlines how to generate SBOMs across multi stage builds.

cd

PS for your runtime stage I'd suggest taking a look at dhi.io/static from https://dhi.io/catalog/static. This has ca-certs, tzdata and a non-root user already.