Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ko sbom binding strategy problem #1243

Open
nemre opened this issue Feb 19, 2024 · 2 comments
Open

ko sbom binding strategy problem #1243

nemre opened this issue Feb 19, 2024 · 2 comments
Labels
lifecycle/stale

Comments

@nemre
Copy link

nemre commented Feb 19, 2024

Hello, when I use buildx, it binds the sbom data directly into the manifest.
But ko pushes it as a tag.
How can we do this like docker buildx does?
BTW, docker scout cannot detect sboms in the main image created via ko.
@developer-guy
Copy link
Collaborator

developer-guy commented Feb 19, 2024
edited

ko follows the cosign's SBOM spec for this, for more detail, you can take a look, here, whereas BuildX has its standards like they use another manifest with platform and arch set as unknown, you can take a look, here. This is where OCI Referrers API comes in a handy to avoid these kind of separation between tools of handling these software supply chain materials.

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@developer-guy @nemre