Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use syft to create SBOMs of Docker images and upload to Harbor #398

Closed
Tracked by #168
lfrancke opened this issue Jun 24, 2023 · 1 comment · Fixed by stackabletech/operator-templating#312
Closed
Tracked by #168

Use syft to create SBOMs of Docker images and upload to Harbor #398

lfrancke opened this issue Jun 24, 2023 · 1 comment · Fixed by stackabletech/operator-templating#312
Assignees
@dervoeti
Labels
changelog/highlight Items worth mentioning in the Platform changelog release/2024-03

Comments

@lfrancke
Copy link
Member

No description provided.

@lfrancke lfrancke mentioned this issue Jun 24, 2023
Closed
@lfrancke lfrancke self-assigned this Jun 27, 2023
@dervoeti
Copy link
Member

Just leaving a few notes here, as I did some tests today.
We should be able to attest that an SBOM belongs to an image by running this command within the Github Action, after the image was built:
cosign attest --predicate bom.json --type cyclonedx oci.stackable.tech/stackable/images/airflow-operator:0.0.0-dev
In my tests this only worked when the CycloneDX SBOM was in JSON format, with XML it failed (tested with cosign 2.2.1).

Verification should work like this:
cosign verify-attestation --type cyclonedx --certificate-identity-regexp '^https://github.com/stackabletech/.+/.github/workflows/.+@.+' --certificate-oidc-issuer https://token.actions.githubusercontent.com oci.stackable.tech/stackable/images/airflow-operator:0.0.0-dev

Displaying the verified SBOM:
cosign verify-attestation --type cyclonedx --certificate-identity-regexp '^https://github.com/stackabletech/.+/.github/workflows/.+@.+' --certificate-oidc-issuer https://token.actions.githubusercontent.com oci.stackable.tech/stackable/images/airflow-operator:0.0.0-dev 2>/dev/null | jq '.payload' -r | base64 -d | jq '.predicate' > sbom.json

@lfrancke lfrancke assigned dervoeti and unassigned lfrancke Jan 18, 2024
@dervoeti dervoeti mentioned this issue Jan 25, 2024
Merged
@lfrancke lfrancke added changelog/highlight Items worth mentioning in the Platform changelog release/2024-03 labels Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dervoeti dervoeti

Labels
changelog/highlight Items worth mentioning in the Platform changelog release/2024-03
Projects
Stackable Engineering
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Publish SBOMs for operator images stackabletech/operator-templating
2 participants
@lfrancke @dervoeti