You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The SLSA requirements define that the provenance must unambiguously identify the output package by cryptographic digest, while also describing how the package was produced. Although SLSA Provenance v1 is recommended, there are no hard requirements on provenance format. Note that Docker buildx only supports v0.2, the upgrade is already on their backlog.
Both the SPDX SBOM and the Provenance can be embedded on a container image at building time by adding two flags to the docker buildx build command:
The provenance must account for the entire build process. When the build process is happening within the Docker buildx context, for example, the building of binaries or fetching of external dependencies must take place within one of the layers of a multi-staged container image.
No pre-built artefacts should be copied into a container image, unless that is tied to a specific version followed by some level of integrity checks. This is something to keep in mind while building the Policy Server container image, since right now the policy-server binary is built with cross-rs and then copied into the image.
The GitHub action docker/build-push-action, can enable the provenance and SBOM by adding these two lines:
- name: Build and push imageuses: docker/build-push-action@v6with:
sbom: trueprovenance: mode=max
The text was updated successfully, but these errors were encountered:
The SLSA requirements define that the provenance must unambiguously identify the output package by cryptographic digest, while also describing how the package was produced. Although SLSA Provenance v1 is recommended, there are no hard requirements on provenance format. Note that Docker buildx only supports v0.2, the upgrade is already on their backlog.
Both the SPDX SBOM and the Provenance can be embedded on a container image at building time by adding two flags to the docker buildx build command:
docker buildx build --push --sbom=true --attest type=provenance,mode=max -t "${IMAGE}" -f Dockerfile .The provenance must account for the entire build process. When the build process is happening within the Docker buildx context, for example, the building of binaries or fetching of external dependencies must take place within one of the layers of a multi-staged container image.
No pre-built artefacts should be copied into a container image, unless that is tied to a specific version followed by some level of integrity checks. This is something to keep in mind while building the Policy Server container image, since right now the
policy-serverbinary is built with cross-rs and then copied into the image.The GitHub action
docker/build-push-action, can enable the provenance and SBOM by adding these two lines:The text was updated successfully, but these errors were encountered: