# Additional Information

## Software Bill of Materials (SBOM)

### Containers

An SBOM for our public containers (e.g. [Pipekit Agent](/pipekit-agent.md) and the [Pipekit CLI](/cli.md#docker-container)) is embedded within the container image in SPDX format. You can extract the SBOM by running the following docker buildx command:

```bash
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ json (index .SBOM "linux/amd64").SPDX}}' > pipekit-agent.spdx
```

Remember to set the image tag accordingly:

* [Pipekit Agent](https://hub.docker.com/r/pipekit13/pipekit-agent/tags)
* [Pipekit CLI](https://hub.docker.com/r/pipekit13/cli/tags)

We combine a `linux/amd64` and a `linux/arm64` variant of the containers as one image tag, this is why you need to choose the correct variant of the SBOM to extract.

Alternatively, you can extract a list of all the packages used in the container by running the following command:

```bash
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ println .name .versionInfo }}{{ end }}' | sort
```

You can also search for individual packages by running the following command:

```bash
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ if eq .name "busybox" }}{{ println .versionInfo }}{{ end }}{{ end }}'
```

### CLI Binaries

SBOM files are available alongside the CLI binaries in the [Pipekit CLI repository](https://github.com/pipekit/cli/releases).

## Signed Containers

We sign our public containers using [Cosign](https://docs.sigstore.dev/cosign/installation). Signing materials are stored in a tamper-resistant public log.

After installing Cosign, you can verify the signature of a container by running the following command:

```bash
cat <<EOF > pipekit-cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUsGMXv9tynS/2yu4WkZLZwLYIbq1
kI/iAtFVazXjKbZVS4+UJnAFt1eh6I8+MEN75KHUD+xw0rm918ZxgRlXKA==
-----END PUBLIC KEY-----
EOF

cosign verify --key pipekit-cosign.pub pipekit13/pipekit-agent:latest
```

You can use an admission controller such as [Connaisseur](https://github.com/sse-secure-systems/connaisseur) to verify the signature of the container at runtime within Kubernetes.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pipekit.io/additional-information.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.