v4.1.1 - Use Syft for SBOM

[JeroenKnoops]

Use Syft for generating SBOM

You can create a SPDX file. This feature is using Anchore Syft.
Add sbom: true to the arguments and a sbom-spdx.json file is created.
The filename is exported as output in sbom-file.
See: https://github.com/philips-software/docker-ci-scripts#with-sbom

Attach SBOM to Image

When you are creating the SBOM file and you provided the sign arguments and cosign environment variables, the SBOM file will be attached to the image.

You can verify the provenance by doing the following thing:

cosign verify-attestation --key cosign.pub <image-name> | jq -r '.payload' | base64 -d | jq .

Major change

• This version will resolve the bug when using private container registries when creating an SBOM.

What's Changed

• Use temporary file to store temporary things by @JeroenKnoops in Use temporary file to store temporary things #105
• Update version of slsa to 0.7.0 and cosign to 1.5.1 by @JeroenKnoops in Update version of slsa to 0.7.0 and cosign to 1.5.1 #106
• Corrected some typos in README.md by @ivd-git in Corrected some typos in README.md #107
• Use Syft for SBOM by @JeroenKnoops in Use Syft for SBOM #108

New Contributors

• @ivd-git made their first contribution in Corrected some typos in README.md #107

Full Changelog: v4.1.0...v4.1.1

---

This discussion was created from the release v4.1.1 - Use Syft for SBOM.