-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ko sbom binding strategy problem #1243
Comments
ko follows the cosign's SBOM spec for this, for more detail, you can take a look, here, whereas BuildX has its standards like they use another manifest with platform and arch set as unknown, you can take a look, here. This is where OCI Referrers API comes in a handy to avoid these kind of separation between tools of handling these software supply chain materials. |
This issue is stale because it has been open for 90 days with no |
Hello, when I use buildx, it binds the sbom data directly into the manifest.
But ko pushes it as a tag.
How can we do this like docker buildx does?
BTW, docker scout cannot detect sboms in the main image created via ko.
The text was updated successfully, but these errors were encountered: