PipekitPricingBlogPipekit Status
Search
K
Links

Additional Information

Software Bill of Materials (SBOM)

Containers

An SBOM for our public containers (e.g. Pipekit Agent and the Pipekit CLI) is embedded within the container image in SPDX format. You can extract the SBOM by running the following docker buildx command:
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ json (index .SBOM "linux/amd64").SPDX}}' > pipekit-agent.spdx
Remember to set the image tag accordingly:
We combine a linux/amd64 and a linux/arm64 variant of the containers as one image tag, this is why you need to choose the correct variant of the SBOM to extract.
Alternatively, you can extract a list of all the packages used in the container by running the following command:
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ println .name .versionInfo }}{{ end }}' | sort
You can also search for individual packages by running the following command:
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ if eq .name "busybox" }}{{ println .versionInfo }}{{ end }}{{ end }}'

CLI Binaries

SBOM files are available alongside the CLI binaries in the Pipekit CLI repository.

Signed Containers

We sign our containers using [Cosign](https://docs.sigstore.dev/cosign/installation). Signing materials are stored in a tamper-resistant public log.
Only the digest of the container is signed, not the tag, because tags are mutable. This means that you can verify the signature of a container even if the tag has changed.
The digest is available on docker hub:
Of you can use the docker inspect command to find the digest.
After installing Cosign, you can verify the signature of a container by running the following command:
cat <<EOF > pipekit-cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUsGMXv9tynS/2yu4WkZLZwLYIbq1
kI/iAtFVazXjKbZVS4+UJnAFt1eh6I8+MEN75KHUD+xw0rm918ZxgRlXKA==
-----END PUBLIC KEY-----
EOF
cosign verify --key pipekit-cosign.pub pipekit13/pipekit-agent@sha256:cee5a3d867429a842965949e225f87daf55755ad4aff792ec1545c57a79c753b
You can use an admission controller such as Connaisseur to verify the signature of the container at runtime within Kubernetes.
Last modified 1mo ago