# Additional Information ## Software Bill of Materials (SBOM) ### Containers An SBOM for our public containers (e.g. [Pipekit Agent](https://docs.pipekit.io/pipekit-agent) and the [Pipekit CLI](https://docs.pipekit.io/cli#docker-container)) is embedded within the container image in SPDX format. You can extract the SBOM by running the following docker buildx command: ```bash docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ json (index .SBOM "linux/amd64").SPDX}}' > pipekit-agent.spdx ``` Remember to set the image tag accordingly: * [Pipekit Agent](https://hub.docker.com/r/pipekit13/pipekit-agent/tags) * [Pipekit CLI](https://hub.docker.com/r/pipekit13/cli/tags) We combine a `linux/amd64` and a `linux/arm64` variant of the containers as one image tag, this is why you need to choose the correct variant of the SBOM to extract. Alternatively, you can extract a list of all the packages used in the container by running the following command: ```bash docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ println .name .versionInfo }}{{ end }}' | sort ``` You can also search for individual packages by running the following command: ```bash docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ if eq .name "busybox" }}{{ println .versionInfo }}{{ end }}{{ end }}' ``` ### CLI Binaries SBOM files are available alongside the CLI binaries in the [Pipekit CLI repository](https://github.com/pipekit/cli/releases). ## Signed Containers We sign our public containers using [Cosign](https://docs.sigstore.dev/cosign/installation). Signing materials are stored in a tamper-resistant public log. After installing Cosign, you can verify the signature of a container by running the following command: ```bash cat < pipekit-cosign.pub -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUsGMXv9tynS/2yu4WkZLZwLYIbq1 kI/iAtFVazXjKbZVS4+UJnAFt1eh6I8+MEN75KHUD+xw0rm918ZxgRlXKA== -----END PUBLIC KEY----- EOF cosign verify --key pipekit-cosign.pub pipekit13/pipekit-agent:latest ``` You can use an admission controller such as [Connaisseur](https://github.com/sse-secure-systems/connaisseur) to verify the signature of the container at runtime within Kubernetes.