SBOM generation

[BobyMCbobs]

Feature Request

Description

SBOMs are an important way to prove what images and programs are made up of.

They can be generated with

• https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
• https://github.com/anchore/syft

then signed and attested with cosign and stored in the container registry as tags
https://docs.sigstore.dev/cosign/attestation/

related: #7087

keen to hear thoughts!

[smira]

Yep, I fully agree we should enable the SBOMs, as it should be an easy step. There was some debate internally on whether cosign is a good approach from security perspective, but it should anyways be better than nothing.

[BobyMCbobs]

In terms of generating the SBOMs, would something like https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md be useful or go version -m <PROGRAM>?

Then the sboms can be attested with

cosign attest --predicate /path/to/sbom-spdx.json ghcr.io/siderolabs/talos:tag -y

[smira]

SBOM is part of the manifest, so cosign will sign it with the image itself.

We need to propagate SBOMs from pkgs which is something we should look into, but it won't be trivial.

[github-actions]

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions]

This issue was closed because it has been stalled for 7 days with no activity.