imagetools inspect: handle provenance and sboms#1444
imagetools inspect: handle provenance and sboms#1444tonistiigi merged 2 commits intodocker:masterfrom
Conversation
crazy-max
force-pushed
the
inspect-attest
branch
from
ae82217 to
ca91044
Compare
crazy-max
force-pushed
the
inspect-attest
branch
from
ca91044 to
fddaf85
Compare
crazy-max
force-pushed
the
inspect-attest
branch
from
fddaf85 to
2fd95f1
Compare
| @@ -0,0 +1,415 @@ | |||
| package imagetools | |||
|
|
|||
| // TODO: replace with go-imageinspect library when public | |||
There was a problem hiding this comment.
@jedevc Yes we should use in follow-up the go-imageinspect library.
crazy-max
force-pushed
the
inspect-attest
branch
2 times, most recently
from
b14ba80 to
6dc71a9
Compare
crazy-max
force-pushed
the
inspect-attest
branch
from
6dc71a9 to
51a7a37
Compare
|
Is there a way we can support multiple SBOMs? e.g. in the case of a dockerfile where multiple stages have been scanned, we should have a way to get multiple. Maybe Side note: the issue with ordering here is that the "most relevant" SBOM is currently not guaranteed to be first (though I think I have a solution for fixing that buildkit-side). |
|
Aside from the above, LGTM 🎉 |
| return nil | ||
| } | ||
|
|
||
| type provenance struct { // TODO: this is only a stub, to be refactored later |
There was a problem hiding this comment.
Could we just show the raw SLSA in here. Just json.RawMessage.
tonistiigi
left a comment
tonistiigi
left a comment
There was a problem hiding this comment.
The SBOM part seems ok but I don't think we should invent another temporary provenance type atm.
|
If we possibly want to add our own typed structs for SBOM/Provenance in the future then maybe it is better if we leave the names of the raw structs as |
|
Did some testing with https://github.com/docker/buildx/compare/master...tonistiigi:buildx:inspect-provenance?expand=1 branch. Mostly seems to work with raw values but commands are really slow(when blobs are being pulled I believe). Maybe this can be optimized or should show debug logs. Especially because some of the SBOM values can be really big they should only be pulled when user really asks for the data. |
crazy-max
force-pushed
the
inspect-attest
branch
from
51a7a37 to
2817533
Compare
Signed-off-by: CrazyMax <[email protected]>
crazy-max
force-pushed
the
inspect-attest
branch
from
2817533 to
11d479a
Compare
wdyt @crazy-max @jedevc |
Not sure about the SLSA terminology here. It can be VSA or Provenance atm so I think Provenance still makes sense. Maybe SLSAProvenance? And for SBOM we could have SBOMSPDX? |
|
The merged name combination seems odd to me - maybe we could go with |
use stub structs for SLSA/SBOM while waiting for go-imageinspect library to be public. Signed-off-by: CrazyMax <[email protected]>
crazy-max
force-pushed
the
inspect-attest
branch
from
11d479a to
e6b9aba
Compare
I'm not sure if it is possible to have |
|
I merged this in but if we still want to make changes to naming we still can before the GA. |
3 participants
Supports provenance and sbom for
imagetools inspectcommand.$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}"https://gist.github.com/crazy-max/5bbc2e60c58263a0162bbf3b920d3d09