Attaching the SBOM and provenance artifact to the Image artifact #1260
Comments
|
Can we pull these images to take a look? Fyi attestations are attached to the root image index, see https://docs.docker.com/build/metadata/attestations/attestation-storage/#attestation-manifest-descriptor |
|
🤔 Looks like |
I'm sorry the images are private. Luckily, it's very easy to replicate. Point this at any existing image you have, and it will create an attached artifact at that location. I know I can look at the manifest to see what kind of artifact it is, but this is a bit of a hassle. There is too much noise at the moment. |
Not sure I understand, with buildkit attestations are already attached to the image index like this one: https://explore.ggcr.dev/?image=moby%2Fbuildkit%3Alatest (see this manifest https://explore.ggcr.dev/?image=moby/buildkit@sha256:e9bbe9e3b33be6d4a396fd92bdd03e050d1a8325e0205e87d7aec3c9b81bc243&mt=application%2Fvnd.oci.image.manifest.v1%2Bjson&size=1113) |
|
@crazy-max IIUC, the attestation manifest can have a |
When I use oras to attach an artifact to an image artifact, it's displayed in a parent/child relation in the UI of Google Cloud Artifact registry.
oras attach --artifact-type doc/example repo/image:digest sbom.jsonWhen I use build-push-action this is not the case. The provenance and sbom artifacts are displayed like normal artifacts and no relationship is visible at first glance.
After comparing some of the manifests, I noticed that oras adds a field called
subjectto the manifest of the sbom and provenance artifacts with a reference to the digest of the image."subject": { "mediaType": "application/vnd.oci.image.index.v1+json", "digest": "sha256:the_digest_of_the_image", "size": 856 },Can this be done by build-push-action as well?
The text was updated successfully, but these errors were encountered: