-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs(sbom): add sbom attestation (#2527)
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
- Loading branch information
Showing
2 changed files
with
52 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| # SBOM attestation | ||
|
|
||
| [Cosign](https://github.com/sigstore/cosign) supports generating and verifying [in-toto attestations](https://github.com/in-toto/attestation). This tool enables you to sign and verify SBOM attestation. | ||
|
|
||
| !!! note | ||
| In the following examples, the `cosign` command will write an attestation to a target OCI registry, so you must have permission to write. | ||
| If you want to avoid writing an OCI registry and only want to see an attestation, add the `--no-upload` option to the `cosign` command. | ||
|
|
||
| ## Sign with a local key pair | ||
|
|
||
| Cosign can generate key pairs and use them for signing and verification. Read more about [how to generate key pairs](https://docs.sigstore.dev/cosign/key-generation). | ||
|
|
||
| In the following example, Trivy generates an SBOM in the spdx format, and then Cosign attaches an attestation of the SBOM to a container image with a local key pair. | ||
|
|
||
| ``` | ||
| $ trivy image --format spdx -o predicate <IMAGE> | ||
| $ cosign attest --key /path/to/cosign.key --type spdx --predicate predicate <IMAGE> | ||
| ``` | ||
|
|
||
| Then, you can verify attestations on the image. | ||
|
|
||
| ``` | ||
| $ cosign verify-attestation --key /path/to/cosign.pub <IMAGE> | ||
| ``` | ||
|
|
||
| You can also create attestations of other formatted SBOM. | ||
|
|
||
| ``` | ||
| # spdx-json | ||
| $ trivy image --format spdx-json -o predicate <IMAGE> | ||
| $ cosign attest --key /path/to/cosign.key --type spdx --predicate predicate <IMAGE> | ||
| # cyclonedx | ||
| $ trivy image --format cyclonedx -o predicate <IMAGE> | ||
| $ cosign attest --key /path/to/cosign.key --type https://cyclonedx.org/schema --predicate predicate <IMAGE> | ||
| ``` | ||
|
|
||
| ## Keyless signing | ||
|
|
||
| You can use Cosign to sign without keys by authenticating with an OpenID Connect protocol supported by sigstore (Google, GitHub, or Microsoft). | ||
|
|
||
| ``` | ||
| $ trivy image --format spdx -o predicate <IMAGE> | ||
| $ COSIGN_EXPERIMENTAL=1 cosign attest --type spdx --predicate predicate <IMAGE> | ||
| ``` | ||
|
|
||
| You can verify attestations. | ||
| ``` | ||
| $ COSIGN_EXPERIMENTAL=1 cosign verify-attestation <IMAGE> | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters