ContextQMD
Back to Cilium

Software Bill of Materials

Documentation/configuration/sbom.rst

1.19.33.4 KB
Original Source

.. only:: not (epub or latex or html)

WARNING: You are looking at unreleased Cilium documentation.
Please use the official rendered version released here:
https://docs.cilium.io

.. _sbom:

Software Bill of Materials

A Software Bill of Materials (SBOM) is a complete, formally structured list of components that are required to build a given piece of software. SBOM provides insight into the software supply chain and any potential concerns related to license compliance and security that might exist.

The Cilium SBOM is generated using the syft_ tool. To learn more about SBOM, see what is an SBOM_.

.. _syft: https://github.com/anchore/syft .. _what is an SBOM: https://edu.chainguard.dev/open-source/sbom/what-is-an-sbom/

Prerequisites

  • Install cosign_

.. _Install cosign: https://docs.sigstore.dev/cosign/system_config/installation/

Download SBOM

You can download the SBOM in-toto attestation from the supplied Cilium image using the following command:

.. code-block:: shell-session

$ cosign download attestation --predicate-type spdxjson <IMAGE URI> | jq -r .payload | base64 -d | jq .predicate > ciliumSBOM.spdx.json

Verify SBOM attestation

To verify the SBOM in-toto attestation on the supplied Cilium image, run the following command:

.. parsed-literal::

$ TAG=|IMAGE_TAG|
$ cosign verify-attestation --certificate-github-workflow-repository cilium/cilium \\
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \\
    --certificate-identity-regexp https://github.com/cilium/cilium/.github/workflows \\
    --type spdxjson <IMAGE URI> 2>&1 | head -n 13

For example:

.. code-block:: shell-session

$ cosign verify-attestation --certificate-github-workflow-repository cilium/cilium \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp https://github.com/cilium/cilium/.github/workflows \
--type spdxjson quay.io/cilium/cilium-ci:d2d270a42b674ca1e7c536186691d8ac8317fd64 2>&1 | head -n 13

Verification for quay.io/cilium/cilium-ci:d2d270a42b674ca1e7c536186691d8ac8317fd64 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/cilium/cilium/.github/workflows/build-images-ci.yaml@refs/pull/34011/merge
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: pull_request
GitHub Workflow SHA: 7d967b8355489cef6a787558ac70c9c619463284
GitHub Workflow Name: Image CI Build
GitHub Workflow Repository: cilium/cilium
GitHub Workflow Ref: refs/pull/34011/merge

It can be validated that the image was signed using GitHub Actions in the Cilium repository from the Certificate subject and Certificate issuer URL fields of the output.

.. note:: The in-toto_ Attestation Framework provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of software can then validate the origins of the software, and establish trust in its supply chain, using in-toto attestations.

.. _in-toto: https://in-toto.io/