You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use docker buildx's --attest capability to generate Provenance and SBOM intoto attestations. These are attached to the image index as OCI images. This does NOT use the referrer method. However, multiple projects including GK already use this approach. It is also the simplest to implement.
Generate SBOM SLSA provenance manually using corresponding tools and then use ORAS to attach to the image
What would you like to be added?
Ratify publishes images to GHCR. Ratify should generate and attach SBOM + provenance metadata to the published images.
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this feature?
The text was updated successfully, but these errors were encountered: