Additional Information

Last updated 9 months ago

Additional Information

Software Bill of Materials (SBOM)

Containers

An SBOM for our public containers (e.g. and the ) is embedded within the container image in SPDX format. You can extract the SBOM by running the following docker buildx command:

docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ json (index .SBOM "linux/amd64").SPDX}}' > pipekit-agent.spdx

Remember to set the image tag accordingly:

We combine a linux/amd64 and a linux/arm64 variant of the containers as one image tag, this is why you need to choose the correct variant of the SBOM to extract.

Alternatively, you can extract a list of all the packages used in the container by running the following command:

docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ println .name .versionInfo }}{{ end }}' | sort

You can also search for individual packages by running the following command:

docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ if eq .name "busybox" }}{{ println .versionInfo }}{{ end }}{{ end }}'

CLI Binaries

SBOM files are available alongside the CLI binaries in the .

Signed Containers

After installing Cosign, you can verify the signature of a container by running the following command:

cat <<EOF > pipekit-cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUsGMXv9tynS/2yu4WkZLZwLYIbq1
kI/iAtFVazXjKbZVS4+UJnAFt1eh6I8+MEN75KHUD+xw0rm918ZxgRlXKA==
-----END PUBLIC KEY-----
EOF

cosign verify --key pipekit-cosign.pub pipekit13/pipekit-agent:latest

Last updated 9 months ago