actions / attest-sbom Goto Github PK
View Code? Open in Web Editor NEWAction for generating SBOM attestations for workflow artifacts
License: MIT License
attest-sbom's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
attest-sbom's Issues
Attestations for multi-platform images
What is the recommended way to attest SBOMs for multi-arch images? The documented way of generating and attesting surely doesn't work:
- First
anchore/sbom-actiongenerates an SBOM for a single platform (most likely amd64) - Then
actions/attest-sbomattaches that single-platform SBOM to the multi-platform index
Here's an example:
$ crane digest jkreileder/cf-ips-to-hcloud-fw:1.0.11
sha256:bf5a71bdd31fc00feb2a727b1a0f9442e2d93460d0d6f3e11685937714dda3e9
$ crane digest --platform linux/amd64 jkreileder/cf-ips-to-hcloud-fw:1.0.11
sha256:ed9821fe41944f3b90050accd78aa3b52256809b31cb024ffd3eff31b8718ce0
$ crane digest --platform linux/arm64 jkreileder/cf-ips-to-hcloud-fw:1.0.11
sha256:43818671e5ed3569fa86a69f1ba6f4e8b83ebe3b6f2a0909b10a9007566cab0fThis was generated by https://github.com/jkreileder/cf-ips-to-hcloud-fw/blob/48ab6e2f78e92677684ca33cfd39f41971026801/.github/workflows/docker.yaml in https://github.com/jkreileder/cf-ips-to-hcloud-fw/actions/runs/9020189970.
Docker buildx itself generated two SBOMs:
$ docker buildx imagetools inspect jkreileder/cf-ips-to-hcloud-fw@sha256:bf5a71bdd31fc00feb2a727b1a0f9442e2d93460d0d6f3e11685937714dda3e9 --format "{{ json .SBOM }}"
{
"linux/amd64": {
"SPDX": {
[...]
}
},
"linux/arm64": {
"SPDX": {
[...]
}
}
}The SBOM from anchore/sbom-action however is amd64-specific: https://github.com/jkreileder/cf-ips-to-hcloud-fw/actions/runs/9020189970/artifacts/1488347718
=> The generated attestation (https://github.com/jkreileder/cf-ips-to-hcloud-fw/attestations/816931) is amd64-specific and basically useless for arm64.
How should this be handled? Extract the SBOMs from the docker build (as shown above) and pass those to actions/attest-sbom although it doesn't follow the expected format? Wouldn't it be better to just directly attest the already pushed SBOMs?
Note that this might apply to build provenance attestations as well if those ever contain platform specific things. (Docker buildx e.g. does, so it attaches multiple provenances too. See docker buildx imagetools inspect jkreileder/cf-ips-to-hcloud-fw@sha256:bf5a71bdd31fc00feb2a727b1a0f9442e2d93460d0d6f3e11685937714dda3e9 --format "{{ json .Provenance }}" for example.)
Error uploading artifact to container registry
After successfully generating an SBOM and then attesting it, this action fails to upload the artifact with a generic error: Error uploading artifact to container registry
Here's the action log (IDs redacted):
Run actions/attest-sbom@v[1](https://github.com/x/x/actions/runs/X/job/X#step:19:1)
with:
subject-name: ghcr.io/x/x
subject-digest: sha[2](https://github.com/x/x/actions/runs/x/job/x#step:19:2)56:x[3](https://github.com/x/x/actions/runs/x/job/x#step:19:3)x
sbom-path: x.spdx.json
push-to-registry: true
github-token: ***
env:
ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json
Run actions/attest-sbom/predicate@53[4](https://github.com/x/x/actions/runs/x/job/x#step:19:4)x
with:
sbom-path: x.spdx.json
env:
ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json
Run actions/attest@49[5](https://github.com/x/x/actions/runs/x/job/x#step:19:5)x[6](https://github.com/x/x/actions/runs/x/job/x#step:19:6)7d
with:
subject-digest: sha256:x[7](https://github.com/x/x/actions/runs/x/job/x#step:19:7)x[8](https://github.com/x/x/actions/runs/x/job/x#step:19:8)x[9](https://github.com/x/x/actions/runs/x/job/x#step:19:9)x
subject-name: ghcr.io/x/x
predicate-type: https://spdx.dev/Document/v2.3
predicate-path: /home/runner/work/_temp/lrJC03/predicate.json
push-to-registry: true
github-token: ***
env:
ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json
Attestation created for ghcr.io/x/x@sha256:b[10](https://github.com/x/x/actions/runs/x/job/x#step:19:11)x
Attestation signed using certificate from GitHub Sigstore instance
Attestation uploaded to repository
https://github.com/x/x/attestations/793731
Error: Error uploading artifact to container registry
I can view the attestation from the web UI and the image has been published to the registry. The attestation is not linked, but I can download it from the workflow summary.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.