docs(readme): add sbom section (ko-build#710)

* docs(readme): add sbom section Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> * Update README.md Co-authored-by: Jason Hall <jason@chainguard.dev>
cpanato · Jun 6, 2022 · e6a7a37 · e6a7a37
1 parent fea092c
commit e6a7a37
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -284,6 +284,16 @@ produce a manifest list containing an image for each platform.
 You can also select specific platforms, for example,
 `--platform=linux/amd64,linux/arm64`
 
+## Generating SBOMs
+
+A [Software Bill of Materials](https://en.wikipedia.org/wiki/Software_bill_of_materials) (SBOM) is a list of software components that a software artifact depends on.
+Having a list of dependencies can be helpful in determining whether any vulnerable components were used to build the software artifact.
+
+From v0.9+, `ko` generates and uploads an SBOM for every image it produces by default.
+
+`ko` will generate an SBOM in the [SPDX](https://spdx.dev/) format by default, but you can select the [CycloneDX](https://cyclonedx.org/) format instead with the `--sbom=cyclonedx` flag. To disable SBOM generation, pass `--sbom=none`.
+
+These SBOMs can be downloaded using the [`cosign download sbom`](https://github.com/sigstore/cosign/blob/main/doc/cosign_download_sbom.md) command.
 ## Static Assets
 
 `ko` can also bundle static assets into the images it produces.