Additional Information
Software Bill of Materials (SBOM)
Containers
An SBOM for our public containers (e.g. Pipekit Agent and the Pipekit CLI) is embedded within the container image in SPDX format. You can extract the SBOM by running the following docker buildx command:
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ json (index .SBOM "linux/amd64").SPDX}}' > pipekit-agent.spdx
Remember to set the image tag accordingly:
We combine a linux/amd64
and a linux/arm64
variant of the containers as one image tag, this is why you need to choose the correct variant of the SBOM to extract.
Alternatively, you can extract a list of all the packages used in the container by running the following command:
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ println .name .versionInfo }}{{ end }}' | sort
You can also search for individual packages by running the following command:
docker buildx imagetools inspect pipekit13/pipekit-agent:v0.0.0 --format '{{ range (index .SBOM "linux/amd64").SPDX.packages }}{{ if eq .name "busybox" }}{{ println .versionInfo }}{{ end }}{{ end }}'
CLI Binaries
SBOM files are available alongside the CLI binaries in the Pipekit CLI repository.
Signed Containers
We sign our public containers using Cosign. Signing materials are stored in a tamper-resistant public log.
After installing Cosign, you can verify the signature of a container by running the following command:
cat <<EOF > pipekit-cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUsGMXv9tynS/2yu4WkZLZwLYIbq1
kI/iAtFVazXjKbZVS4+UJnAFt1eh6I8+MEN75KHUD+xw0rm918ZxgRlXKA==
-----END PUBLIC KEY-----
EOF
cosign verify --key pipekit-cosign.pub pipekit13/pipekit-agent:latest
You can use an admission controller such as Connaisseur to verify the signature of the container at runtime within Kubernetes.
Last updated