-
Notifications
You must be signed in to change notification settings - Fork 426
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added attestation from intermediate multi-stage build steps #668
Conversation
620ebe0
to
a9a7e8b
Compare
Thanks for the contribution. What benefit does this have for users of this Docker image? |
This is part of Docker's work to secure the software supply chain (I work with @tianon @ docker) |
@lukebakken Im a bit new to this so I had to take sa bit of time to find the best way to explain the change, This changes doesn't affect the content of the image but rather is helping get more metadata about how the image is generated by adding more SBOM attestation. Let me know if that makes sense. |
Sure, I googled |
@@ -145,6 +149,8 @@ RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version | |||
|
|||
FROM openssl-builder as erlang-builder | |||
|
|||
ARG BUILDKIT_SBOM_SCAN_STAGE=true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only the erlang-builder
stage needs its SBOM captured since it is from the previous stage, openssl-builder
, which is from the previous one, build-base
, so having all three would just add duplication in the final SBOM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that the base doesn't need them but the end image pull files from both the openssl-builder
and erlang-builder
image so I think they both need to have it
a9a7e8b
to
718e50a
Compare
Updated by moving the scanning to the openssl layer in Alpine |
718e50a
to
78a4994
Compare
78a4994
to
a84b199
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Changes: - docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom
Changes: - docker-library/rabbitmq@b015404: Merge pull request docker-library/rabbitmq#669 from LaurentGoderre/more-sbom-2 - docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom - docker-library/rabbitmq@fbcfd9a: Added licenses to attestation of binaries compiled from source - docker-library/rabbitmq@215db22: fixup - docker-library/rabbitmq@9f71069: Add attestations for binaries compiled from source
Changes: - docker-library/rabbitmq@b2387a8: Merge pull request docker-library/rabbitmq#670 from LaurentGoderre/remove-heredoc - docker-library/rabbitmq@6e58700: Stop using HEREDOC for SBOM attestation because it breaks the DOI builds - docker-library/rabbitmq@b015404: Merge pull request docker-library/rabbitmq#669 from LaurentGoderre/more-sbom-2 - docker-library/rabbitmq@1078026: Merge pull request docker-library/rabbitmq#668 from LaurentGoderre/more-sbom - docker-library/rabbitmq@fbcfd9a: Added licenses to attestation of binaries compiled from source - docker-library/rabbitmq@215db22: fixup - docker-library/rabbitmq@9f71069: Add attestations for binaries compiled from source
This is what gets added: