-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate image SBOMs #539
Comments
The SBOMs are very large - upwards of 45MB! |
This needs a bit more investigation. SBOMs can take over 30 minutes to be generated, so need to make this async. |
Lots of new info just dropped: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ |
Out of curiosity, do you all not plan on tackling SBOMs at all? I started looking into this for my custom image (on top of professional efforts). It would be awesome to see this from the upstream ublue images as well. |
We very much wanna do this as a project, we're just time/resource limited. We were generating a set for Bluefin but they took resources to build and ended up being flakey and causing red, though we kept the actions around. I did notice improvements in the github UI but haven't investigated yet. I wonder if it's clickety-click to setup? |
Good to know. I'll have a look at what you did over there. Good question about the workflow, I'm not sure. If I go down the rabbit hole and have anything to share back before you guys do I'll be sure to do so. |
Due to the recent xz incident, it would be good if we frequently generate SBOMs for our images.
Consider using Syft, and possibly later integrating with Grype for vuln scanning.
I'm investigating this now.
The text was updated successfully, but these errors were encountered: