Auto-attach SBOM to built images

[joonas-fi]

Produce SBOM

syft scan --output=spdx-json docker:fn61/varasto

Which SBOM format

source	recommendation
syft	spdx-json
docker/build-push-action	in-toto(slsa.dev/provenance/v0.2)
Docker scout	in-toto(spdx) + in-toto(slsa.dev/provenance/v0.2)
Earthly	spdx-json

in-toto seems to support embedding different types of provenance information:

• in-toto's own provenance spec: https://slsa.dev/spec/v1.1/provenance
• SPDX inside in-toto doc: https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md
  • in pseudo: intotoStatement(spdxDocument)
  • it's essentially embedding JSON doc inside JSON doc so there's two different specs together parsing one logical document. looks 🤮

Docker seems to be:

• pushing ~hard this intotoStatement(spdxDocument) format by docker/build-push-action defaulting to this
• using Syft

Attach SBOM

how to attach?

• syft's recommendation to use attachment (why? it would need to be signed separately...) cannot be taken seriously, as they don't attach SBOMs to their Syft container image
• Docker scout (docker/scout-sbom-indexer) seems to use vnd.docker.reference.type=attestation-manifest in manifest list:

$ oras manifest fetch --pretty docker.io/docker/scout-sbom-indexer:latest
...
   {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:03865443655036205f8a4cf442d0af176b68a02c377845fbb72707589b673ca3",
      "size": 840,
      "annotations": {
        "vnd.docker.reference.digest": "sha256:e05300973c21517504acf05f23cbe58143cb064d6d32df3795a2b109d38323e5",
        "vnd.docker.reference.type": "attestation-manifest"
      },
      "platform": {
        "architecture": "unknown",
        "os": "unknown"
      }
    }
...

which then seems to reference two different in-toto predicates:

1. https://spdx.dev/Document
2. https://slsa.dev/provenance/v0.2

$ oras manifest fetch --pretty docker.io/docker/scout-sbom-indexer@sha256:03865443655036205f8a4cf442d0af176b68a02c377845fbb72707589b673ca3
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:ce272640038585b336aa097ff69d84c4881ea8b471ec71852487491c29e5c706",
    "size": 241
  },
  "layers": [
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:86261ce202310d44ecdcde38b46f7aa906a2a72769e266d7b7ee41ba14f6a1b4",
      "size": 444687,
      "annotations": {
        "in-toto.io/predicate-type": "https://spdx.dev/Document"
      }
    },
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:6afc53b64077ce177775dd166ee96ede98439012b0161cc3bffe6f864598ccbc",
      "size": 23463,
      "annotations": {
        "in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
      }
    }
  ]
}