Support adding a signed SBOM attestation

[ThomasVitale]

Cloud Native Buildpacks offers support for SBOM generation, which is both convenient and ensuring a better result because the SBOM is generated as part of the build process and not afterwards.

One way of retrieving the SBOMs included in an OCI image is by using the pack CLI:

pack sbom download <image>

This strategy of storing SBOMs within the OCI image as part of the build process is convenient, but specific to Buildpacks. It would be great if kpack would add an optional feature to collect those SBOMs and add them as a signed attestation to the OCI image, following the standard in-toto format as described in this article from Syft.

By doing that, integration of kpack with other tools would be more straightforward when handling supply chain security. For example, it would be a standard task using Trivy to scan the SBOM attestation attached to the OCI image built by kpack (see here) rather than having configuration specific for the kpack/buildpacks use case.

If there's interest for having such a feature in kpack, I'm available to help refining it.

[mvalliath]

Hi @ThomasVitale! This is a great idea, but this would need to be implemented in the underlying Cloud Native Buildpacks project. Can you start this conversation within the Buildpacks project?

[mvalliath]

cc: @natalieparellano

[ThomasVitale]

@mvalliath thanks for your answer. I'll bring this up within the Buildpacks project.

[ThomasVitale]

There's a discussion ongoing in the Buildpacks project that should address the problem I described in this issue: buildpacks/spec#350 Slack conversation: https://cloud-native.slack.com/archives/C033DV8D9FB/p1675549743449859