Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign OCI Image and Attest SBOM #14

Open
dsm0014 opened this issue Sep 2, 2022 · 0 comments
Open

Sign OCI Image and Attest SBOM #14

dsm0014 opened this issue Sep 2, 2022 · 0 comments
Labels
actions Work involves changes to Github Actions enhancement New feature or request
Milestone
v0.3.0

Comments

@dsm0014
Copy link
Collaborator

dsm0014 commented Sep 2, 2022

The Need

The build pipeline should be signing the OCI image created and attesting the generated SBOM to the OCI registry alongside the image built during the pipeline run. This also means determining what kind of keys will be used to sign and where they can be securely stored (if necessary).

Acceptance Criteria

  • Use cosign Github Action(s) to sign the image produced in a pipeline
  • Use cosign Github Action(s) to attest the image's SBOM
@dsm0014 dsm0014 added this to the v0.2.0 milestone Sep 2, 2022
@dsm0014 dsm0014 added enhancement New feature or request actions Work involves changes to Github Actions labels Sep 2, 2022
@dagan dagan modified the milestones: v0.2.0, v0.3.0 Nov 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actions Work involves changes to Github Actions enhancement New feature or request
Projects
None yet
Milestone
v0.3.0
Development

No branches or pull requests
2 participants
@dagan @dsm0014