You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The proposal is to generate SBOM for gcr.io/openssf/scorecard and sign the docker image and the SBOM with cosign
SBOM
A “Software Bill of Materials” (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. The following documents were drafted by stakeholders in an open and transparent process to address transparency around software components and were approved by a consensus of participating stakeholders.
cosign will be used to sign the SBOM and the docker container as part of the merge to main. The SBOM and the signature would be store in gcr.io
Keys
The private keys and public keys for signing the image would be store as plain text in the scorecard repository. The public key can be used to verify the validity of the signature.
The text was updated successfully, but these errors were encountered:
Updating the scope of this issue as per yesterday's discussion. We already have #309 for the cosign issue. Let's use this issue to instead track the generation of SBOM for Scorecards.
The proposal is to generate SBOM for
gcr.io/openssf/scorecard
and sign the docker image and the SBOM with cosignSBOM
A “Software Bill of Materials” (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. The following documents were drafted by stakeholders in an open and transparent process to address transparency around software components and were approved by a consensus of participating stakeholders.
source https://www.ntia.gov/SBOM
Tool to generate SBOM
Recently the k8s team built a tool for generating SBOM https://github.com/kubernetes/release/blob/master/cmd/bom/README.md which is not specific to k8s. It generates in SPDX format.
cosign
cosign will be used to sign the SBOM and the docker container as part of the merge to main. The SBOM and the signature would be store in
gcr.io
Keys
The private keys and public keys for signing the image would be store as plain text in the scorecard repository. The public key can be used to verify the validity of the signature.
The text was updated successfully, but these errors were encountered: