syft - generate sboms from images. used by default with buildkit
grype - scan an sbom
Docker attestations - create sbom and provenance from docker build
conftest - better way to write rego
requires having containerd as the image store for docker desktop enable to be able to store and push the attestations
with buildkit the attestations are stored within the layers of the image. this is different than how cosign works and the sigstore tooling. sigstore/cosign#2688
crane manifest dev.registry.tanzu.vmware.com/warroyo/buildkit-attest
provenance:
docker buildx imagetools inspect /:
--format "{{ json .Provenance.SLSA }}"
sbom:
docker buildx imagetools inspect /:
--format "{{ json .SBOM.SPDX }}"
requires using opa cli to do verifications
opa eval -i buildkit-provenance.json -d validate-base.rego data.validate.allow --format pretty
attaches artifacts to the images. this seems to be a more standard way that sigstore expects
docker build . -t dev.registry.tanzu.vmware.com/warroyo/cosign-attest
need to create provenance and sbom
sbom syft dev.registry.tanzu.vmware.com/warroyo/cosign-attest -o spdx-json > sbom.json
cosign attest --type spdxjson --predicate sbom.json --key cosign.key dev.registry.pivotal.io/warroyo/basic-build@sha256:7620cb34610ef908e5143eddc8093834d2dc8388e8188c1adee2497179162fb2 --tlog-upload=false
cosign download attestation
--predicate-type=https://spdx.dev/Document
dev.registry.tanzu.vmware.com/warroyo/cosign-attest | jq -r .payload | base64 -d | jq
cosign verify-attestation --key cosign.pub dev.registry.tanzu.vmware.com/warroyo/cosign-attest --insecure-ignore-tlog=true --type spdxjson
cosign verify-attestation --key cosign.pub dev.registry.tanzu.vmware.com/warroyo/cosign-attest --insecure-ignore-tlog=true --type spdxjson | jq -r .payload | base64 -D | jq . > att.json
cosign verify-attestation --key cosign.pub dev.registry.tanzu.vmware.com/warroyo/cosign-attest --insecure-ignore-tlog=true --type spdxjson | jq -r .payload | base64 -D | jq -r .predicate | grype
docker buildx imagetools inspect dev.registry.tanzu.vmware.com/warroyo/buildkit-attest --format "{{ json .SBOM.SPDX }}" > buildkit-sbom
docker buildx imagetools inspect dev.registry.tanzu.vmware.com/warroyo/buildkit-attest --format "{{ json .Provenance.SLSA }}" >buildkit-provenance.json
then attest with cosign
cosign attest --type spdxjson --predicate buildkit-sbom.json --key cosign.key dev.registry.pivotal.io/warroyo/buildkit-attest@sha256:80f18774e1b4dc6cc1ef7fb93e42a3b41083d2fb0e141047b05e6a0bd35e9923 --tlog-upload=false
cosign attest --type slsaprovenance --predicate buildkit-provenance.json --key cosign.key dev.registry.pivotal.io/warroyo/buildkit-attest@sha256:80f18774e1b4dc6cc1ef7fb93e42a3b41083d2fb0e141047b05e6a0bd35e9923 --tlog-upload=false