Additional Information

Software Bill of Materials (SBOM)

Containers

An SBOM for our public containers (e.g. Pipekit Agent and the Pipekit CLI) is embedded within the container image in SPDX format. You can extract the SBOM by running the following docker buildx command:

docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ json (index .SBOM "linux/amd64").SPDX}}' > pipekit-agent.spdx

Remember to set the image tag accordingly:

We combine a linux/amd64 and a linux/arm64 variant of the containers as one image tag, this is why you need to choose the correct variant of the SBOM to extract.

Alternatively, you can extract a list of all the packages used in the container by running the following command:

docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ println .name .versionInfo }}{{ end }}' | sort

You can also search for individual packages by running the following command:

docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ if eq .name "busybox" }}{{ println .versionInfo }}{{ end }}{{ end }}'

CLI Binaries

SBOM files are available alongside the CLI binaries in the Pipekit CLI repository.

Signed Containers

We sign our public containers using Cosign. Signing materials are stored in a tamper-resistant public log.

After installing Cosign, you can verify the signature of a container by running the following command:

cat <<EOF > pipekit-cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUsGMXv9tynS/2yu4WkZLZwLYIbq1
kI/iAtFVazXjKbZVS4+UJnAFt1eh6I8+MEN75KHUD+xw0rm918ZxgRlXKA==
-----END PUBLIC KEY-----
EOF

cosign verify --key pipekit-cosign.pub pipekit13/pipekit-agent:latest

You can use an admission controller such as Connaisseur to verify the signature of the container at runtime within Kubernetes.

Last updated 1 year ago