actions / attest-sbom Goto Github PK
View Code? Open in Web Editor NEWAction for generating SBOM attestations for workflow artifacts
License: MIT License
Action for generating SBOM attestations for workflow artifacts
License: MIT License
What is the recommended way to attest SBOMs for multi-arch images? The documented way of generating and attesting surely doesn't work:
anchore/sbom-action
generates an SBOM for a single platform (most likely amd64)actions/attest-sbom
attaches that single-platform SBOM to the multi-platform indexHere's an example:
$ crane digest jkreileder/cf-ips-to-hcloud-fw:1.0.11
sha256:bf5a71bdd31fc00feb2a727b1a0f9442e2d93460d0d6f3e11685937714dda3e9
$ crane digest --platform linux/amd64 jkreileder/cf-ips-to-hcloud-fw:1.0.11
sha256:ed9821fe41944f3b90050accd78aa3b52256809b31cb024ffd3eff31b8718ce0
$ crane digest --platform linux/arm64 jkreileder/cf-ips-to-hcloud-fw:1.0.11
sha256:43818671e5ed3569fa86a69f1ba6f4e8b83ebe3b6f2a0909b10a9007566cab0f
This was generated by https://github.com/jkreileder/cf-ips-to-hcloud-fw/blob/48ab6e2f78e92677684ca33cfd39f41971026801/.github/workflows/docker.yaml in https://github.com/jkreileder/cf-ips-to-hcloud-fw/actions/runs/9020189970.
Docker buildx itself generated two SBOMs:
$ docker buildx imagetools inspect jkreileder/cf-ips-to-hcloud-fw@sha256:bf5a71bdd31fc00feb2a727b1a0f9442e2d93460d0d6f3e11685937714dda3e9 --format "{{ json .SBOM }}"
{
"linux/amd64": {
"SPDX": {
[...]
}
},
"linux/arm64": {
"SPDX": {
[...]
}
}
}
The SBOM from anchore/sbom-action
however is amd64-specific: https://github.com/jkreileder/cf-ips-to-hcloud-fw/actions/runs/9020189970/artifacts/1488347718
=> The generated attestation (https://github.com/jkreileder/cf-ips-to-hcloud-fw/attestations/816931) is amd64-specific and basically useless for arm64.
How should this be handled? Extract the SBOMs from the docker build (as shown above) and pass those to actions/attest-sbom
although it doesn't follow the expected format? Wouldn't it be better to just directly attest the already pushed SBOMs?
Note that this might apply to build provenance attestations as well if those ever contain platform specific things. (Docker buildx e.g. does, so it attaches multiple provenances too. See docker buildx imagetools inspect jkreileder/cf-ips-to-hcloud-fw@sha256:bf5a71bdd31fc00feb2a727b1a0f9442e2d93460d0d6f3e11685937714dda3e9 --format "{{ json .Provenance }}"
for example.)
After successfully generating an SBOM and then attesting it, this action fails to upload the artifact with a generic error: Error uploading artifact to container registry
Here's the action log (IDs redacted):
Run actions/attest-sbom@v[1](https://github.com/x/x/actions/runs/X/job/X#step:19:1)
with:
subject-name: ghcr.io/x/x
subject-digest: sha[2](https://github.com/x/x/actions/runs/x/job/x#step:19:2)56:x[3](https://github.com/x/x/actions/runs/x/job/x#step:19:3)x
sbom-path: x.spdx.json
push-to-registry: true
github-token: ***
env:
ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json
Run actions/attest-sbom/predicate@53[4](https://github.com/x/x/actions/runs/x/job/x#step:19:4)x
with:
sbom-path: x.spdx.json
env:
ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json
Run actions/attest@49[5](https://github.com/x/x/actions/runs/x/job/x#step:19:5)x[6](https://github.com/x/x/actions/runs/x/job/x#step:19:6)7d
with:
subject-digest: sha256:x[7](https://github.com/x/x/actions/runs/x/job/x#step:19:7)x[8](https://github.com/x/x/actions/runs/x/job/x#step:19:8)x[9](https://github.com/x/x/actions/runs/x/job/x#step:19:9)x
subject-name: ghcr.io/x/x
predicate-type: https://spdx.dev/Document/v2.3
predicate-path: /home/runner/work/_temp/lrJC03/predicate.json
push-to-registry: true
github-token: ***
env:
ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json
Attestation created for ghcr.io/x/x@sha256:b[10](https://github.com/x/x/actions/runs/x/job/x#step:19:11)x
Attestation signed using certificate from GitHub Sigstore instance
Attestation uploaded to repository
https://github.com/x/x/attestations/793731
Error: Error uploading artifact to container registry
I can view the attestation from the web UI and the image has been published to the registry. The attestation is not linked, but I can download it from the workflow summary.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.