From 51570d807a8445792a4628862ba48d08c0a443f0 Mon Sep 17 00:00:00 2001 From: Mike Hepburn Date: Wed, 31 May 2023 10:50:33 +1000 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=91=20syft=20sbom=20=F0=9F=90=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build_container.yaml | 3 ++- README.md | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_container.yaml b/.github/workflows/build_container.yaml index 9787cd8..2543c81 100644 --- a/.github/workflows/build_container.yaml +++ b/.github/workflows/build_container.yaml @@ -88,6 +88,7 @@ jobs: # Provenance SBOM and attestation - name: Generate SBOM uses: anchore/sbom-action@v0 + id: syft with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }} registry-username: ${{ secrets.QUAY_USER }} @@ -96,7 +97,7 @@ jobs: - name: Attach SBOM to image run: | - cosign attach sbom --sbom pet-battle-api.sbom \ + cosign attach sbom --sbom ${{ steps.syft.output-file }} \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAGS }} env: COSIGN_PASSWORD: "" diff --git a/README.md b/README.md index 3f035d5..bbd1726 100644 --- a/README.md +++ b/README.md @@ -281,3 +281,17 @@ To verify an image: curl --progress-bar -o cosign.pub https://raw.githubusercontent.com/petbattle/pet-battle-api/master/cosign.pub cosign verify --key cosign.pub quay.io/petbattle/pet-battle-api:latest ``` + +SBOM generated using [syft](https://github.com/anchore/syft). + +Verify signed SBOM: + +```bash +cosign verify --key cosign.pub --attachment sbom quay.io/petbattle/pet-battle-api:latest +``` + +Verify SBOM attestation: + +```bash +cosign verify-attestation --key cosign.pub quay.io/petbattle/pet-battle-api:latest +```