(feat): Generate SBOM for invocation image + bundle #2930
Assignees
Labels
suggestion
Idea for maintainers to consider. Do not take this issue until triaged.
Comments
schristoff
added
the
suggestion
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Being able to offer generating an SBOM for the invocation image and bundle would be a great step in our security focus.
Talking to Syft on their Slack, they pointed us to this example for ingesting Syft as a Go lib.
Ideally, when users run
porter publishcommand we would take asbom(bool) flag. If true, then withinpkg/porter/publishwe would call a separatepkg/porter/publish/sbom.gothat would do the generation required. We could separate out this feature into it's own package, or keep it within publish. The porter package is already kinda chunky, so maybe best to try and keep all the imports needed for this feature separate.Note: The linked code generates a Syft SBOM, but we need an SPDX SBOM, so we would need to incorporate the use of formats into this code.
The text was updated successfully, but these errors were encountered: