From d2e815a2c5f9826becefab81bafacd14777891d7 Mon Sep 17 00:00:00 2001 From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Date: Mon, 24 Jan 2022 10:04:57 -0500 Subject: [PATCH] Add attestation workflow to README (#759) * add attestation workflow to README Signed-off-by: Christopher Phillips --- README.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/README.md b/README.md index 39249d8aa..585585623 100644 --- a/README.md +++ b/README.md @@ -413,3 +413,35 @@ anchore: # same as -d ; SYFT_ANCHORE_DOCKERFILE env var dockerfile: "" ``` + +### Adding an SBOM to an image as an attestation +SBOMs themselves can serve as input to different analysis tools. The Anchore organization offers the vulnerability scanner +[grype](https://github.com/anchore/grype) as one such tool. +One of the foundational approaches to "trust" between tools is for producers to use the artifacts generated by syft as attestations to their images. +The SBOM output of syft can be used with the [cosign](https://github.com/sigstore/cosign) tool to generate an attestation that is attached to a signed image. + +#### Example attest +Note for the following example replace `test/image:latest` with an image you own. You should also have push access to +its remote reference. Replace $MY_PRIVATE_KEY with a private key you own or have generated with cosign. + +```bash +cosign sign -key $MY_PRIVATE_KEY test/image:latest +syft test/image:latest -o json > test_latest_sbom.json +cosign attest -predicate test_latest_sbom.json -key $MY_PRIVATE_KEY +``` + +Verify the new attestation exists on your image +```bash +cosign verify-attestation -key $MY_PUBLIC_KEY test/image:latest | jq '.payload |= @base64d | .payload | fromjson | .predicate.Data | fromjson | .' +``` + +You should see this output along with the attached SBOM. +``` +Verification for test/image:latest -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - The signatures were verified against the specified public key + - Any certificates were verified against the Fulcio roots. +``` + +Consumers of your image can now trust that the SBOM associated with your image is correct and from a trusted source.