[EKS] [request]: Generate SBOMs for release artifacts

[stevehipwell]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
I'd like all artifacts created for EKS to have a secure SBOM generated so we can track the content of them. The SBOM should probably be in a number of formats but the OpenSSF SPDX format would be essential.

Which service(s) is this request for?
EKS.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I'd like to be able to validate and review the SBOM for EKS artifacts.

Are you currently working around this issue?
n/a

Additional context
This is related to #43 for storing container image SBOMs in ECR.

Attachments
n/a

[ecki]

Is the issue in „additional context“ the right one?

[stevehipwell]

Is the issue in „additional context“ the right one?

@ecki I'm making the assumption that once ECR can store image signatures it could also store SBOMs.

[ecki]

Ah yes, Oras uses both types as explicite samples for the artifacts spec.
The link text confused me I thought it was about a request for sbom in ECR, but all good now.