Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SBOM generation #950

Closed
naveensrinivasan opened this issue Sep 1, 2021 · 3 comments
Closed

SBOM generation #950

naveensrinivasan opened this issue Sep 1, 2021 · 3 comments
Labels
kind/enhancement New feature or request

Comments

@naveensrinivasan
Copy link
Member

The proposal is to generate SBOM for gcr.io/openssf/scorecard and sign the docker image and the SBOM with cosign

SBOM

A “Software Bill of Materials” (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. The following documents were drafted by stakeholders in an open and transparent process to address transparency around software components and were approved by a consensus of participating stakeholders.

source https://www.ntia.gov/SBOM

Tool to generate SBOM

Recently the k8s team built a tool for generating SBOM https://github.com/kubernetes/release/blob/master/cmd/bom/README.md which is not specific to k8s. It generates in SPDX format.

cosign

cosign will be used to sign the SBOM and the docker container as part of the merge to main. The SBOM and the signature would be store in gcr.io

Keys

The private keys and public keys for signing the image would be store as plain text in the scorecard repository. The public key can be used to verify the validity of the signature. 

@naveensrinivasan naveensrinivasan added the kind/enhancement New feature or request label Sep 1, 2021
@naveensrinivasan
Copy link
Member Author

@azeemshaikh38 azeemshaikh38 changed the title SBOM and cosign SBOM generation Sep 8, 2021
@azeemshaikh38
Copy link
Contributor

Updating the scope of this issue as per yesterday's discussion. We already have #309 for the cosign issue. Let's use this issue to instead track the generation of SBOM for Scorecards.

@github-actions
Copy link

Stale issue message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants