-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
imagetools inspect: handle provenance and sboms #1444
Conversation
ae82217
to
ca91044
Compare
ca91044
to
fddaf85
Compare
fddaf85
to
2fd95f1
Compare
@@ -0,0 +1,415 @@ | |||
package imagetools | |||
|
|||
// TODO: replace with go-imageinspect library when public |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jedevc Yes we should use in follow-up the go-imageinspect library.
b14ba80
to
6dc71a9
Compare
6dc71a9
to
51a7a37
Compare
Is there a way we can support multiple SBOMs? e.g. in the case of a dockerfile where multiple stages have been scanned, we should have a way to get multiple. Maybe Side note: the issue with ordering here is that the "most relevant" SBOM is currently not guaranteed to be first (though I think I have a solution for fixing that buildkit-side). |
Aside from the above, LGTM 🎉 |
util/imagetools/loader.go
Outdated
return nil | ||
} | ||
|
||
type provenance struct { // TODO: this is only a stub, to be refactored later |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we just show the raw SLSA in here. Just json.RawMessage
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The SBOM part seems ok but I don't think we should invent another temporary provenance type atm.
If we possibly want to add our own typed structs for SBOM/Provenance in the future then maybe it is better if we leave the names of the raw structs as |
Did some testing with https://github.com/docker/buildx/compare/master...tonistiigi:buildx:inspect-provenance?expand=1 branch. Mostly seems to work with raw values but commands are really slow(when blobs are being pulled I believe). Maybe this can be optimized or should show debug logs. Especially because some of the SBOM values can be really big they should only be pulled when user really asks for the data. |
51a7a37
to
2817533
Compare
Signed-off-by: CrazyMax <[email protected]>
2817533
to
11d479a
Compare
wdyt @crazy-max @jedevc |
Not sure about the SLSA terminology here. It can be VSA or Provenance atm so I think Provenance still makes sense. Maybe SLSAProvenance? And for SBOM we could have SBOMSPDX? |
The merged name combination seems odd to me - maybe we could go with |
use stub structs for SLSA/SBOM while waiting for go-imageinspect library to be public. Signed-off-by: CrazyMax <[email protected]>
11d479a
to
e6b9aba
Compare
I'm not sure if it is possible to have |
I merged this in but if we still want to make changes to naming we still can before the GA. |
Supports provenance and sbom for
imagetools inspect
command.$ docker buildx imagetools inspect crazymax/buildkit:attest --format "{{json .}}"
https://gist.github.com/crazy-max/5bbc2e60c58263a0162bbf3b920d3d09