Skip to content

Attach artifacts

In this example, we will attach SBOMs to images. The workflow is similar for attaching signatures/attestations to an artifact.

Set image

We can follow the steps from this section to set the image. Let's ensure the IMAGE variable is set.

echo $IMAGE

set-image-variable

Generate SBOM for the image

The SBOM contains the list of dependencies & vulnerabilities in it (depending on how its generated). SBOM section decrypts the below command & its output in great detail. It explains more about SBOMs as well.

trivy i --format cosign-vuln $IMAGE > image.sbom

sbom-trivy-cosign-vuln-format

Attach SBOM with the image

It's recommended to keep track of all the known vulnerabilities when committing/pushing an image. We will attach the above-generated SBOM to the image & push it to the registry.

cosign attach sbom --sbom image.sbom $IMAGE

cosign-attach-sbom

We can see the SBOM artifact uploaded to the registry. In this case, it's dockerhub.

cosign-attach-sbom-ui

NOTE

The attach feature only uploads the provided artifact to the registry. It doesn't sign the artifact, so anyone can tamper with it & there's no way to verification. To sign artifacts like SBOMs, etc., we have to attest the artifact instead of attaching it.


Last update: 2022-11-24 17:31:15
Created: 2022-11-19 06:59:59