Additional Information
Software Bill of Materials (SBOM)
Containers
An SBOM for our public containers (e.g. Pipekit Agent and the Pipekit CLI) is embedded within the container image in SPDX format. You can extract the SBOM by running the following docker buildx command:
Remember to set the image tag accordingly:
We combine a linux/amd64 and a linux/arm64 variant of the containers as one image tag, this is why you need to choose the correct variant of the SBOM to extract.
Alternatively, you can extract a list of all the packages used in the container by running the following command:
You can also search for individual packages by running the following command:
CLI Binaries
SBOM files are available alongside the CLI binaries in the Pipekit CLI repository.
Signed Containers
We sign our containers using [Cosign](https://docs.sigstore.dev/cosign/installation). Signing materials are stored in a tamper-resistant public log.
Only the digest of the container is signed, not the tag, because tags are mutable. This means that you can verify the signature of a container even if the tag has changed.
The digest is available on docker hub:
Of you can use the docker inspect command to find the digest.
After installing Cosign, you can verify the signature of a container by running the following command:
You can use an admission controller such as Connaisseur to verify the signature of the container at runtime within Kubernetes.
Last updated