You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, when I use buildx, it binds the sbom data directly into the manifest.
But ko pushes it as a tag.
How can we do this like docker buildx does?
BTW, docker scout cannot detect sboms in the main image created via ko.
The text was updated successfully, but these errors were encountered:
ko follows the cosign's SBOM spec for this, for more detail, you can take a look, here, whereas BuildX has its standards like they use another manifest with platform and arch set as unknown, you can take a look, here. This is where OCI Referrers API comes in a handy to avoid these kind of separation between tools of handling these software supply chain materials.
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.
Hello, when I use buildx, it binds the sbom data directly into the manifest.
But ko pushes it as a tag.
How can we do this like docker buildx does?
BTW, docker scout cannot detect sboms in the main image created via ko.
The text was updated successfully, but these errors were encountered: