Additional Information
Last updated
Last updated
An SBOM for our public containers (e.g. and the ) is embedded within the container image in SPDX format. You can extract the SBOM by running the following docker buildx command:
Remember to set the image tag accordingly:
We combine a linux/amd64
and a linux/arm64
variant of the containers as one image tag, this is why you need to choose the correct variant of the SBOM to extract.
Alternatively, you can extract a list of all the packages used in the container by running the following command:
You can also search for individual packages by running the following command:
SBOM files are available alongside the CLI binaries in the .
After installing Cosign, you can verify the signature of a container by running the following command:
We sign our public containers using . Signing materials are stored in a tamper-resistant public log.
You can use an admission controller such as to verify the signature of the container at runtime within Kubernetes.