Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OCI image annotation, sbom, provenance to docker images #397

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Commits on Aug 21, 2024

  1. Add OCI image annotation, sbom, provenance to docker images

    These annotations are useful for people to use manually and for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes.
    
    The provenance attestations include facts about the build process, including details such as:
    * Build timestamps
    * Build parameters and environment
    * Version control metadata
    * Source code details
    * Materials (files, scripts) consumed during the build
    
    See:
    * https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
    * https://snyk.io/blog/how-and-when-to-use-docker-labels-oci-container-annotations/
    * https://github.com/renovatebot/renovate/blob/34.115.1/lib/modules/datasource/docker/readme.md
    * https://docs.docker.com/build/attestations/slsa-provenance/
    * https://docs.docker.com/build/attestations/slsa-definitions/
    * https://docs.docker.com/build/attestations/sbom/
    
    Signed-off-by: Craig Andrews <[email protected]>
    candrews authored Aug 21, 2024
    Configuration menu
    Copy the full SHA
    d968757 View commit details
    Browse the repository at this point in the history